tag:blogger.com,1999:blog-1141242307338560932024-03-14T03:53:04.392-07:00blog.jameswebb.meSecurity Program Management,Data Forensics, Incident Response, Penetration TestingUnknownnoreply@blogger.comBlogger20125tag:blogger.com,1999:blog-114124230733856093.post-87132749553598822682014-01-21T13:02:00.003-08:002014-02-21T14:12:16.208-08:00It's Time For Optimistic InfoSec <div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjipksH-CIAJ6ZACustOuex-6rsyxeKgKa__Hu_9B-4iX3xEJz5mEES_plbwa_OId_XiX1qwl0ZQ3DXn8nAGhpqNGhOJdWGhyphenhyphenPw7-XdSOoXVYYvDa2G9tom-cHz-N6Dap0wYokgyknzYrk/s1600/Slide018.JPG" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjipksH-CIAJ6ZACustOuex-6rsyxeKgKa__Hu_9B-4iX3xEJz5mEES_plbwa_OId_XiX1qwl0ZQ3DXn8nAGhpqNGhOJdWGhyphenhyphenPw7-XdSOoXVYYvDa2G9tom-cHz-N6Dap0wYokgyknzYrk/s1600/Slide018.JPG" height="240" width="320" /></a></div>
<br />
I'll wager that you rarely come across "Information Security" placed in close proximity to the term "Optimistic". In fact, it often seems that these terms are almost <a href="https://books.google.com/ngrams/graph?content=Optimistic+%3D%3ESecurity&year_start=1800&year_end=2000&corpus=15&smoothing=3&share=&direct_url=" target="_blank">magnetically charged to repel one another</a>. While you might see articles about enthusiasm over security budget increases or the effectiveness of some security technology, we rarely witness public optimistic proclamations or "high-five" celebrations in the Information Security community of practice. <br />
<br />
<br />
<h3>
<b><span style="color: #660000;"><u>Some of The Reasons For This Include</u></span></b></h3>
<br />
<b>1. Information Security News Is Invariably Bad</b><br />
The big InfoSec news stories are (always) bad. The <a href="http://www.washingtonpost.com/blogs/worldviews/wp/2014/01/07/2013-was-the-year-of-cybersecurity/" target="_blank">development and stories from 2013</a> were certainly no exception.<br />
<br />
<b>2. IS Professionals Get Paid To Think Negatively </b><br />
A large part of the job in InfoSec is necessarily anchored to a certain patterns of negative thought. We have to make it a habit to consider the worse-case scenarios, how to break things, and ways to subvert good intentions. We are at our best "constructively negative". This isn't a bad thing; It is actually one of our great strengths if we can avoid certain pitfalls. (more below).<br />
<br />
<b>3. Pessimism Often Feels "Safe"</b><br />
In a time when there is so much focus on what isn't working right, it takes a good bit of professional courage to go against the grain. If you're optimistic/positive about something and things work out well then that is one thing. If however you've expressed optimism and something goes wrong, then we tend to view this as a type of failed professional prognostication.<br />
<br />
<h3>
<b><u><span style="color: #660000;">Reclaiming Optimism</span></u></b></h3>
Of course, Infosec must remain"constructively negative" in terms of evaluating risks; <u>however, </u>we also have to make sure that the inertia of this habit along with the barrage of negative news doesn't bleed over into how we view the professional mission of Information Security. When you tune into to some of the InfoSec echo-chambers, you often hear a great deal of frustration laced generously with sarcasm on just how bad things are or what someone did wrong. It's understandable that everyone occasionally needs to vent; however at<span style="text-align: center;"> time period, when Information Security has become a central concern for individuals, </span><span style="text-align: center;">businesses, and governments alike, we also need to project </span><b style="text-align: center;">attitudinal leadership</b><span style="text-align: center;"> through constructive expressions </span><span style="text-align: center;">of what we are doing right, what we are able to improve, and most importantly how we will continue to cultivate <u>realistic</u> balances of risks and opportunities in cyberspace.</span><br />
<br />
<div style="text-align: right;">
</div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic0kHhSnwiCHp1KHqUXNioH-J8UUJm7tmYSDNbwsqNr8d87jnLy0nUpzWn4-LFI61y0iuAeMiFMkecCgdaZrypRLrWtFPKawh-W4NvC-Mw7Mo4CnQA6FdeQso9Ow8Q_7R25yrzYZBRIWo/s1600/optimism.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic0kHhSnwiCHp1KHqUXNioH-J8UUJm7tmYSDNbwsqNr8d87jnLy0nUpzWn4-LFI61y0iuAeMiFMkecCgdaZrypRLrWtFPKawh-W4NvC-Mw7Mo4CnQA6FdeQso9Ow8Q_7R25yrzYZBRIWo/s1600/optimism.jpg" height="254" width="320" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYqQYlxjZdKqixYBN18oSq5pAZFUQWX2Hhe-9Wql8xcLg1RauTPkmz-Y5regVCFHbS0yhjAcbur9dQwPVIx22KLPSbB_RiKUYOsngs2hOT0AbOU6i2o29a7oUnRG3Az2S9EgMgYIDjwIg/s1600/hamster.png" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYqQYlxjZdKqixYBN18oSq5pAZFUQWX2Hhe-9Wql8xcLg1RauTPkmz-Y5regVCFHbS0yhjAcbur9dQwPVIx22KLPSbB_RiKUYOsngs2hOT0AbOU6i2o29a7oUnRG3Az2S9EgMgYIDjwIg/s1600/hamster.png" height="320" width="277" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><div style="text-align: left;">
<span style="color: red;"><b> </b></span></div>
</td></tr>
</tbody></table>
Critically, <b>this is not </b>the same as saying that we need to put on <a href="http://www.tripwire.com/state-of-security/risk-based-security-for-executives/risk-management/the-infosec-dunning-kruger-effect-confidence-vs-overconfidence/" target="_blank">rose-colored glasses</a> to just make us feel better. Things are tough; All of our favorite asymmetries are still in play: rate of complexity increase vs accurate risk modeling , offensive vs defensive investment thresholds, threat adaptation vs defensive evolution.<br />
<br />
However, the kind of optimism that we need however is one that acknowledges these challenges but doesn't hide behind them. This type of attitude represents a forward-looking stance that <u>purposefully</u> seeks opportunities to recognize and support the good things we've done, actively encourages live-wire enthusiasm to seize new opportunities/innovations, and maintains the requisite tenacity needed to stay in the fight to make things better.<br />
<br />
<div style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 20px; margin-bottom: 10px;">
<h3>
<b><u><span style="color: #660000;">Four Very Important Reasons For IS Optimism</span></u></b></h3>
</div>
If the news from 2013 left you feeling a bit down, here <br />
are four significant reasons for considerable optimism:<br />
<br />
<b>1. We Win <u>Every</u> Day</b><br />
For every new story and issue that we encounter, we prevent, detect, and deter truly vast amounts of attacks and proactively find and fix a large number of issues. You can tend to begin to see this as "background noise"; however, if it wasn't for good security efforts and practices this "background noise" would be the den of catastrophe. We are doing good work every day to protect the commonweal.<br />
<br />
<b>2. We Are In It Together</b><br />
There is much more collaboration and information sharing occurring in and among varied Infosec communities. There is a <a href="http://blog.jameswebb.me/2012/06/free-infosec-training-resources.html" target="_blank">plethora of material</a> of reference and training material that folks have freely shared. There are also so many folks willing to help one another through free exchange of ideas and lessons learned.<br />
<br />
<b>3. We are Innovating Like Crazy </b><br />
The amount of security innovation is at an all time high; If you look at the projects, <a href="http://sectools.org/" target="_blank">free tools</a>, and products on the market it is amazing how many great ideas are out there. This innovation is not just confined to software either; We also have the capacity to innovate new defensive methods, assessment processes, and services to contextualize the way the do security above and beyond mere compliance.<br />
<br />
<b>4. We will not Surrender</b><br />
The folks that I respect in this field all have stories of rough days/weeks/months, but they have never quit or walked away. Even rough spots are opportunities to learn, adapt, and come back stronger. Security issues may not be going away anytime soon, but on a positive note neither are those who are truly committed to make things better. Continual learning and persistence -- The greatest defensive weapons in our arsenal.<br />
<br />
<b>Ideas/FeedBack?</b><br />
What things are you optimistic about in Information Security? What are we doing really well? What opportunities do you see on the horizon in 2014?
<!-- Blogger automated replacement: "https://images-blogger-opensocial.googleusercontent.com/gadgets/proxy?url=http%3A%2F%2F3.bp.blogspot.com%2F-Szp-iWt-Op0%2FUuAJ3CtQGLI%2FAAAAAAAAB3g%2FziXwkld9KvE%2Fs1600%2Fhamster.png&container=blogger&gadget=a&rewriteMime=image%2F*" with "https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYqQYlxjZdKqixYBN18oSq5pAZFUQWX2Hhe-9Wql8xcLg1RauTPkmz-Y5regVCFHbS0yhjAcbur9dQwPVIx22KLPSbB_RiKUYOsngs2hOT0AbOU6i2o29a7oUnRG3Az2S9EgMgYIDjwIg/s1600/hamster.png" -->Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-114124230733856093.post-32783836167703220302013-12-23T07:41:00.001-08:002014-05-19T17:52:42.679-07:00Building A Cheap Personal VPN<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgar6Mi0jyCti0xsIQgWkQi7N_cNOBbS6w_eV9yCy-ThyphenhyphenqT7vQTBbciUCl33DzmqCUGBEim7ytHbFn6cyFj5KIxmCVdG3_7CuucTEjsPkGyPKDXfVM6XbamjJg_8I1OSjHmGcrHw4_-jwk/s1600/wifi-cafe__475-x-315.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgar6Mi0jyCti0xsIQgWkQi7N_cNOBbS6w_eV9yCy-ThyphenhyphenqT7vQTBbciUCl33DzmqCUGBEim7ytHbFn6cyFj5KIxmCVdG3_7CuucTEjsPkGyPKDXfVM6XbamjJg_8I1OSjHmGcrHw4_-jwk/s1600/wifi-cafe__475-x-315.jpg" height="211" width="320" /></a></div>
<span style="font-size: large;"><b><span class="gwt-InlineLabel GGA2BSSBAV"><span style="color: #660000;"><u>Introduction</u></span></span></b></span><br />
<span class="gwt-InlineLabel">This year we've seen individual concerns regarding data privacy expand dramatically. While public interest in this topic has increased, day-to-day computing practices still haven't changed a great deal. Many old habits still persist that often put our personal information at risk. One prime example of this is the use of shared untrusted wireless connections. I</span><span class="gwt-InlineLabel">ndividuals often grow accustomed to indiscriminately connecting to available wireless networks with little foreknowledge of the </span>identity, trustworthiness, or goals of the operators of these services. While it is no surprise that anyone would wish to take advantage of "free"connections, by placing our traffic on untrusted shared networks, we open ourselves up to a number of privacy and security issues including:<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7MpuqV9VW8Uwa7ut3r3CKg-HfOOQ-4SMa4xF7U0By3ZrBXrpDXAYLfU5kmtbA7mMJbcNKCpJrwMeL_be9G0KopDtV0aPEKDfQuw04Fkkc0f3M-8M8TiovXuYSNtza1PJ4-5I3oCm_h9E/s1600/Sheep.jpg" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7MpuqV9VW8Uwa7ut3r3CKg-HfOOQ-4SMa4xF7U0By3ZrBXrpDXAYLfU5kmtbA7mMJbcNKCpJrwMeL_be9G0KopDtV0aPEKDfQuw04Fkkc0f3M-8M8TiovXuYSNtza1PJ4-5I3oCm_h9E/s1600/Sheep.jpg" height="150" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">DefCon Wall of Sheep</td></tr>
</tbody></table>
<ul>
<li><b><span style="color: #990000;">Traffic Interception/Redirection</span></b> -<i> </i>When joining an untrusted network, there is a real risk that malicious individuals may intercept your traffic or redirect your requests to mock-up sites meant to capture your credentials. Even if you join a wireless networks secured with a static preshared-key (i.e. at a conference), you should importantly not misperceive this as a significant security measure. Other individuals with access to this key can relatively easily <a href="http://phreaklets.blogspot.com/2013/10/sniffing-wpa2-encrypted-wireless.html" target="_blank">sniff and decrypt traffic</a>. </li>
</ul>
<ul>
<li><span style="color: #990000;"><b>Traffic Analysis / Privacy </b></span>- When you join an untrusted network, you may not be aware of the privacy practices relevant to this connection. What kind of logging is going via this network? Even when your web-traffic is encrypted, are your DNS queries being logged for analysis? What information are you giving away about yourself without your awareness? ( An interesting story from earlier this year, revealed that that even just leaving your mobile WIFI turned on <a href="http://www.forbes.com/sites/petercohan/2013/05/09/how-nordstrom-and-home-depot-use-wifi-to-spy-on-shoppers/">can be used to track your movements and shopping habits in stores</a>. )</li>
</ul>
<ul>
<li><b><span style="color: #990000;">Traffic Filtering and Restrictions </span></b>- Do you have unfettered access to information and sites from the location you are connecting from? Are you restricted to particular kinds of Internet applications on this link? </li>
</ul>
These types of concerns have spurred the increasing growth and popularity of <a href="http://lifehacker.com/5940565/why-you-should-start-using-a-vpn-and-how-to-choose-the-best-one-for-your-needs" target="_blank">Commercial Personal VPN Services</a>. For less than $20 per month, these providers off you the ability to encrypt and tunnel all your internet traffic. The merit of these services is that it raises the bar significantly for prying eyes as well as gives you greater control over your online "point of presence" -- the location where your traffic is decrypted and routed to the Internet at large (see diagram below). Whereas in the past VPN services were usually only employed by organizations to provide secure remote access to internal resources, it is now feasible for individuals to also employ a personal VPN to enhance security and privacy of their individual network traffic.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQJqHIo6Bjw_KBbpFhpUaAgUZs3BB2N8JE69MKoichUpc1oDuoh0TEJaDG_F06Ted1ew-4kQbzeKptlJ9hc-3FWRZboTtNvq4RuG5VnWm9nSAciULpaX0GUSDoJhS2KfQnNg7IMR7CGJ8/s1600/VPN2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQJqHIo6Bjw_KBbpFhpUaAgUZs3BB2N8JE69MKoichUpc1oDuoh0TEJaDG_F06Ted1ew-4kQbzeKptlJ9hc-3FWRZboTtNvq4RuG5VnWm9nSAciULpaX0GUSDoJhS2KfQnNg7IMR7CGJ8/s1600/VPN2.png" height="177" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><br /></td></tr>
</tbody></table>
Another factor driving the adoption of personal VPNs is the DIY community and low cost methods for deploying services using cloud computing resources. It is possible and often less expensive to set up your own low-cost VPN using <a href="http://openvpn.net/" target="_blank">OpenVPN</a> and <a href="http://amazon%20ec2/">Amazon EC2</a>. For those with the time, interest, and inclination to test out their own personal vpn, the steps below provide an outline of a basic build.<br />
<br />
<b>*Important Note</b>: These instructions are intended for <u>personal usage</u> on untrusted networks only. For business or organizational systems, you should consult with your IT group to determine what VPN services may be available and approved for authorized use. Using a non-approved VPN within certain networks may be considered a violation of policy as well as an organizational security issue.<br />
<br />
<div>
<b style="font-size: x-large;"><span class="gwt-InlineLabel GGA2BSSBAV"><span style="color: #660000;"><u>Technical Instructions</u></span></span></b><br />
<b style="font-size: x-large;"><span class="gwt-InlineLabel GGA2BSSBAV"><span style="color: #660000;"><br /></span></span></b></div>
<span style="font-size: large;"><b><span class="gwt-InlineLabel GGA2BSSBAV"><span style="color: #660000;">Step #1: Creating An Amazon EC2 Instance </span></span></b></span><br />
For this build, I will use Ubuntu Server 12.04 LTS running on an<a href="http://amazon%20ec2/" target="_blank"> Amazon EC2</a> micro instances that is eligible for free utilization.<br />
<br />
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">If you've never used </span><span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">EC2</span><span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;"> before you will definitely need to familiarize yourself with this platform.</span><br />
<br style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" />
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">Amazon has some good getting started guides here (high recommended):</span><br />
<a class="externalLink" href="http://docs.amazonwebservices.com/AWSEC2/latest/GettingStartedGuide/GetStartedLinux.html" style="background-color: white; color: #0044bb; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px; text-decoration: none;" target="_blank" title="External link to http://docs.amazonwebservices.com/AWSEC2/latest/GettingStartedGuide/GetStartedLinux.html">http://docs.amazonwebservices.com/AWSEC2/latest/GettingStartedGuide/GetStartedLinux.html</a><br />
<br />
A good youtube video can also be found here:<br />
<div class="separator" style="clear: both; text-align: left;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/rYJLIfVuSMY?feature=player_embedded' frameborder='0'></iframe></div>
<br />
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">The basic steps that we need to take with bring this Ubuntu Instance up is the following:</span><br />
<ul style="background-color: white; list-style-image: initial; list-style-position: initial; margin: 0.5em 0px 0.5em 0.5em; padding: 0px 2.5em 0px 1.5em;">
<li style="border: none; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px; margin: 0px 0px 0.25em; padding: 0.25em 0px;">Select Ubuntu Server 12.04 LTS x64</li>
<li style="border: none; margin: 0px 0px 0.25em; padding: 0.25em 0px;"><b><span style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span style="font-size: 12px; line-height: 16.796875px;">Use Micro Tier (t1.micro, 613MB) for test setup. Eligible for </span></span><a class="externalLink" href="http://aws.amazon.com/free/" style="color: #0044bb; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px; text-decoration: none;" target="_blank" title="External link to http://aws.amazon.com/free/">free usage tier</a><span style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span style="font-size: 12px; line-height: 16.796875px;">.</span></span></b></li>
<li style="border: none; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px; margin: 0px 0px 0.25em; padding: 0.25em 0px;"><b>Save and Backup Your Key Pair (PEM file). Don't lose this file! You will need to access your EC2 instance.</b></li>
<li style="border: none; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px; margin: 0px 0px 0.25em; padding: 0.25em 0px;">Create A Customized Security Group that allows inbound access to SSH (TCP 22) and our custom OpenVPN port (UDP 443).</li>
</ul>
<span class="gwt-InlineLabel GGA2BSSBAV"></span><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0gereKVBHi8RdnVMezInYgS1d1KUq2FnXRT8ELLfad25Rd5ZtufCO7ysKwiygeqw8Kz5kky9bMqwRpTWyQTwxiosXSVpuXSkyrKINjQhVZxFgxWLwqMjXOogCLHQAu2jIIOH4lB3K1uI/s1600/2013-12-08-135321_767x96_scrot.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0gereKVBHi8RdnVMezInYgS1d1KUq2FnXRT8ELLfad25Rd5ZtufCO7ysKwiygeqw8Kz5kky9bMqwRpTWyQTwxiosXSVpuXSkyrKINjQhVZxFgxWLwqMjXOogCLHQAu2jIIOH4lB3K1uI/s1600/2013-12-08-135321_767x96_scrot.png" height="80" width="640" /></a> <span style="background-color: transparent; color: white; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span><br />
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;"><br /></span>
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;"><br /></span>
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;"><br /></span>
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;"><br /></span>
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;"><br /></span>
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;"><br /></span>
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;"><br /></span>
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">After your instance has started, you will need to access it using SSH and the Key file you saved.</span><br />
<div dir="ltr">
<table style="border-collapse: collapse; border: none; width: 624px;"><tbody>
<tr style="height: 71px;"><td style="background-color: black; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: #f1c232; font-family: Arial;"><span style="font-size: 15px; line-height: 15px;">chmod 400 example.pem</span></span><br />
<span style="color: #f1c232; font-family: Arial;"><span style="font-size: 15px; line-height: 15px;">ssh -i example.pem ubuntu@ec2-example.compute-1.amazonaws.com</span></span></div>
</td></tr>
</tbody></table>
</div>
<div dir="ltr">
<br /></div>
<br />
<div>
<div style="color: #660000;">
<b><u>Patches and Software Installs</u></b></div>
Once the instance has booted, we need to perform some software updates and installs.<br />
<div style="color: #660000;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline;"></span></div>
</div>
<div dir="ltr">
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 71px;"><td style="background-color: black; border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #f1c232; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">sudo apt-get update</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #f1c232; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">sudo apt-get upgrade</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #f1c232; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">sudo apt-get install openvpn -y</span><br />
<span style="background-color: transparent; color: #f1c232; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">sudo apt-get install dnsmasq -y</span><br />
<span style="background-color: transparent; color: #f1c232; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">sudo aptget install easy-rsa -y</span></div>
</td></tr>
</tbody></table>
</div>
<br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span><br />
<div style="color: #660000;">
<br /></div>
<div>
<div style="color: #660000;">
<span style="font-size: large;"><b>Step #2: Setting Up A Certificate Authority + Generating Keys</b></span></div>
OpenVPN supports two secure modes of operation, one employs a pre-shared static key (PSK) and another is based on SSL/TLS using RSA certificates and keys. The PSK method has the benefit of simplicity, however it is not the most secure method (if anyone intercepts this key then all traffic could potentially be decrypted). For this reason, we will use the SSL/TLS method.<br />
<div style="color: #660000;">
<span style="font-size: large;"><b><br /></b></span>
</div>
</div>
<span style="background-color: transparent; color: white; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span><b style="color: #660000;"><u>Copying Configuration Files</u></b><br />
First off, we will want to copy the OpenVPN example files to obtain the scripts we'll need to establish a local certificate authority.<br />
<div dir="ltr">
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody style="color: #f1c232;">
<tr style="height: 1px;"><td style="background-color: black; border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">sudo mkdir /etc/openvpn/easy-rsa/ <br class="kix-line-break" />sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ </span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">sudo ln -s /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf</span></div>
</td></tr>
</tbody></table>
</div>
<br />
<u><b><span style="color: #660000;">Setting Up Variables</span></b>.</u><br />
Now we will want to set some initial variables that will allow easy-rsa key management scripts to function.<br />
<div dir="ltr">
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody style="color: #f1c232;">
<tr style="height: 1px;"><td style="background-color: black; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-family: Arial; vertical-align: baseline;"><span style="font-family: 'Times New Roman'; font-size: small; line-height: normal;">sudo vi /etc/openvpn/easy-rsa/vars</span></span></div>
</td></tr>
</tbody></table>
</div>
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span><br />
Some of the variables that you will want to set and change to establish the CA include include the following:<br />
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 50px;"><td style="background-color: black; border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #f1c232; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">export KEY_SIZE=2048</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #f1c232; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">export KEY_COUNTRY="US"<br />export KEY_PROVINCE="YourProvince"<br />export KEY_CITY="YourCity"<br />export KEY_ORG="YourORG"<br />export KEY_EMAIL="me@myhost.mydomain"<br />export KEY_EMAIL=mail@host.domain<br />export KEY_CN=changeme<br />export KEY_NAME=changeme<br />export KEY_OU=changeme<br />export PKCS11_MODULE_PATH=changeme </span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #f1c232; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">export KEY_CONFIG=/etc/openvpn/easy-rsa/openssl-1.0.0.cnf</span></div>
</td></tr>
</tbody></table>
Note that we are using a 2048 bit key for additional paranoia.<br />
<br />
<span style="color: #660000;"><u><b>Generating the master CA and key (as root)</b></u></span><br />
<div dir="ltr">
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: black; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #f1c232; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">cd /etc/openvpn/easy-rsa/<br class="kix-line-break" />source vars<br class="kix-line-break" />./clean-all<br class="kix-line-break" />./build-ca</span></div>
</td></tr>
</tbody></table>
</div>
<br />
<span style="color: #660000;"><u><b><span style="background-color: transparent; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; vertical-align: baseline;"></span>
Diffie Hellman parameters generated for the OpenVPN server (as root)</b></u></span><br />
<div dir="ltr">
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: black; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #f1c232; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">build-dh</span></div>
</td></tr>
</tbody></table>
</div>
<br />
<div class="para">
<div class="para">
<span style="color: #660000;"><u><b>Generating Server Certificate</b></u></span></div>
<div class="screen">
<pre class="contents "><span style="color: black; font-family: Arial; font-size: 15px; vertical-align: baseline;"></span></pre>
<div dir="ltr">
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: black; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: #f1c232; font-family: Arial;"><span style="font-size: 15px; line-height: 15px;">build-key-server myservername</span></span></div>
</td></tr>
</tbody></table>
</div>
</div>
<span style="color: #660000;"><u><b><br /></b></u></span>
<span style="color: #660000;"><u><b>Copying certificates and keys to /etc/openvpn/</b></u></span></div>
<div class="screen">
<pre class="contents "><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span></pre>
<div dir="ltr">
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: black; border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #f1c232; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">cd /etc/openvpn/easy-rsa/keys/ </span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #f1c232; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">cp ca.crt myservername.key myservername.crt dh2048.pem /etc/openvpn/</span></div>
</td></tr>
</tbody></table>
</div>
<br />
<div class="para">
<span style="color: #660000;"><u><b>Generating Client Key-Pairs</b></u></span></div>
<div class="screen">
<pre class="contents "><span style="color: black; font-family: Arial; font-size: 15px; vertical-align: baseline;"></span></pre>
<div dir="ltr">
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: black; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: #f1c232; font-family: Arial;"><span style="font-size: 15px; line-height: 15px;">./build-key client1</span></span></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: #f1c232; font-family: Arial;"><span style="font-size: 15px; line-height: 15px;">./build-key client2</span></span></div>
</td></tr>
</tbody></table>
</div>
</div>
<br />
<br />
At the end of this step you should now have several files residing in /etc/openvpn. Here is a break-down on what these files are.<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1NqIxWW3gkJTcg8qGabszfLBViPY0_6IA9DqagEszKok-2Z9PFzU23JKj1xtt3TzflUJK9V0C_hQe70sT8uqa-5wHlXTUtBU7DJ4RIQ2_lD3OXD6Xr5UAR39Ss81ioEHxt_eiORudyko/s1600/screencap.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1NqIxWW3gkJTcg8qGabszfLBViPY0_6IA9DqagEszKok-2Z9PFzU23JKj1xtt3TzflUJK9V0C_hQe70sT8uqa-5wHlXTUtBU7DJ4RIQ2_lD3OXD6Xr5UAR39Ss81ioEHxt_eiORudyko/s1600/screencap.tiff" height="297" width="400" /></a></div>
<br />
<br /></div>
<div style="color: #660000;">
<span style="font-family: inherit; font-size: large;"><span id="docs-internal-guid-634fb31c-d40d-df37-dc16-10346aad6638" style="background-color: transparent; color: white; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span><b>Step #3: Creating OpenVPN Server Config</b></span><br />
<span style="color: black;">Here is a somewhat standard server config. This would be stored in /etc/openvpn/server.conf</span><span style="color: black;"> </span></div>
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span>
<br />
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: black; border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="color: #f1c232; font-size: 15px; line-height: 15px;">port 443</span></span><br />
<span style="color: #f1c232; font-family: Arial; font-size: 15px; line-height: 15px;">proto udp</span><br />
<span style="color: #f1c232; font-family: Arial; font-size: 15px; line-height: 15px;">dev tun</span><br />
<span style="color: #f1c232; font-family: Arial; font-size: 15px; line-height: 15px;">ca ca.crt</span><br />
<span style="font-family: Arial;"><span style="color: #f1c232; font-size: 15px; line-height: 15px;">cert myservername.crt</span></span><br />
<span style="color: #f1c232; font-family: Arial; font-size: 15px; line-height: 15px;">dh dh2048.pem</span><br />
<span style="color: #f1c232; font-family: Arial; font-size: 15px; line-height: 15px;">server 10.8.0.0 255.255.255.0ls</span><br />
<span style="color: #f1c232; font-family: Arial; font-size: 15px; line-height: 15px;">ifconfig-pool-persist ipp.txt</span><br />
<span style="color: #f1c232; font-family: Arial; font-size: 15px; line-height: 15px;">push "redirect-gateway def1 bypass-dhcp"</span><br />
<span style="color: #f1c232; font-family: Arial; font-size: 15px; line-height: 15px;">push "dhcp-option DNS 10.8.0.1"</span><br />
<span style="color: #f1c232; font-family: Arial; font-size: 15px; line-height: 15px;">keepalive 10 120</span><br />
<span style="color: #f1c232; font-family: Arial; font-size: 15px; line-height: 15px;">comp-lzo</span><br />
<span style="color: #f1c232; font-family: Arial; font-size: 15px; line-height: 15px;">persist-key</span><br />
<span style="font-family: Arial;"><span style="color: #f1c232; font-size: 15px; line-height: 15px;">persist-tun</span></span><br />
<span style="color: #f1c232; font-family: Arial; font-size: 15px; line-height: 15px;">status openvpn-status.log</span><br />
<span style="color: #f1c232; font-family: Arial; font-size: 15px; line-height: 15px;">verb 3</span></div>
</td></tr>
</tbody></table>
Note the push directives. These route all traffic through our VPN server and also change the DNS settings for the client upon connection (moving DNS handling to VPN server).<br />
<b style="color: #660000; font-size: x-large;"><br /></b>
<b style="color: #660000;"><span style="font-family: inherit; font-size: large;">Step #4: Enabling NAT Forwarding</span></b><br />
To route Internet traffic for connecting clients we'll need to set up a basic NAT firewall config. We'll do it manually first and then drop some rules in /etc/rc.local for quick/dirty persistence.<br />
<span style="background-color: transparent; color: white; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span>
<br />
<div dir="ltr">
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: black; border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #f1c232; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">sudo sysctl -w net.ipv4.ip_forward=1</span></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: #f1c232;"><span style="font-family: Arial;"><span style="font-size: 15px; line-height: 15px;"><br /></span></span>
<span style="font-family: Arial;"><span style="font-size: 15px; line-height: 15px;">#OPENVPN Forwarding</span></span></span><br />
<span style="font-family: Arial;"><span style="color: #f1c232; font-size: 15px; line-height: 15px;">iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT</span></span><br />
<span style="font-family: Arial;"><span style="color: #f1c232; font-size: 15px; line-height: 15px;">iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT</span></span><br />
<span style="font-family: Arial;"><span style="color: #f1c232; font-size: 15px; line-height: 15px;">iptables -A FORWARD -j REJECT</span></span><br />
<span style="font-family: Arial;"><span style="color: #f1c232; font-size: 15px; line-height: 15px;">iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE</span></span></div>
</td></tr>
</tbody></table>
</div>
<br />
<br />
<b style="color: #660000;"><span style="font-family: inherit; font-size: large;">Step #5: DNSMasq Setup</span></b><br />
<b id="docs-internal-guid-3174d64d-d4a3-7528-cd0e-9a275cd570da" style="font-weight: normal;">We will set up <a href="http://www.thekelleys.org.uk/dnsmasq/doc.html" target="_blank">DNSMasq</a> to localize DNS request handling and also provide some acceleration (via caching).<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b><br />
<b style="font-weight: normal;"><br /></b>
<b>/etc/dnsmasq.conf</b><br />
<div dir="ltr">
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: black; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="color: #f1c232; font-size: 15px; line-height: 15px;">listen-address=127.0.0.1,10.8.0.1</span></span><br />
<span style="font-family: Arial;"><span style="color: #f1c232; font-size: 15px; line-height: 15px;">bind-interfaces</span></span></div>
</td></tr>
</tbody></table>
</div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<br />
<b style="color: #660000; line-height: normal;"><span style="font-family: inherit; font-size: large;">Step #6: Setting RC.LOCAL Boot Options</span></b><br />
<span id="docs-internal-guid-3174d64d-d4a3-7528-cd0e-9a275cd570da" style="line-height: normal;">Some quick and dirty lines in /etc/rc.local to bring NAT up and make sure that dnsmasq is running.</span><br />
<div dir="ltr" style="line-height: normal;">
<table style="border-collapse: collapse; border: none; width: 624px;"><tbody>
<tr style="height: 0px;"><td style="background-color: black; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: #f1c232; font-family: Arial; font-size: 15px; line-height: 15px;">#OPENVPN Forwarding</span><br />
<span style="color: #f1c232; font-family: Arial; font-size: 15px; line-height: 15px;">sysctl -w net.ipv4.ip_forward=1</span><br />
<span style="font-family: Arial;"><span style="color: #f1c232; font-size: 15px; line-height: 15px;">iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT</span></span><br />
<span style="font-family: Arial;"><span style="color: #f1c232; font-size: 15px; line-height: 15px;">iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT</span></span><br />
<span style="font-family: Arial;"><span style="color: #f1c232; font-size: 15px; line-height: 15px;">iptables -A FORWARD -j REJECT</span></span><br />
<span style="font-family: Arial;"><span style="color: #f1c232; font-size: 15px; line-height: 15px;">iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE</span></span><br />
<span style="color: #f1c232;"><span style="font-family: Arial;"><span style="font-size: 15px; line-height: 15px;"><br /></span></span>
<span style="font-family: Arial;"><span style="font-size: 15px; line-height: 15px;">#START DNSMASQ</span></span></span><br />
<span style="font-family: Arial;"><span style="color: #f1c232; font-size: 15px; line-height: 15px;">/etc/init.d/dnsmasq start</span></span></div>
</td></tr>
</tbody></table>
</div>
</div>
<b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<b style="color: #660000; line-height: normal;"><span style="font-family: inherit; font-size: large;">Step #7: Client Setup </span></b><br />
<br />
<div class="para">
<span style="color: #660000;"><u><b>Archiving + Downloading Client Key-Pairs</b></u></span><br />
<span id="docs-internal-guid-3174d64d-d4a3-7528-cd0e-9a275cd570da" style="line-height: normal;">To setup our client, we will need the CA certificate, client certificate, client public key, a openvpn client configuration, and an openvpn client. First we can tarball the client information we need and then download this via sftp.</span></div>
<div class="screen">
<div dir="ltr">
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody style="font-family: inherit;">
<tr style="height: 0px;"><td style="background-color: black; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<div style="font-family: inherit;">
<span style="background-color: transparent; color: #f1c232; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">cd /etc/openvpn/easy-rsa/keys/ </span><span style="color: #f1c232; font-size: small;"><span style="line-height: 15px;"><br /></span></span></div>
<span style="color: #f1c232; font-family: inherit; font-size: small;">tar cvzf ~ubuntu/client1.tgz ca.crt client1.crt client1.key</span><span style="font-size: x-small;"><span id="docs-internal-guid-3c5f473e-f1e5-6328-7860-a1c3d7c04112" style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span></span></div>
</td></tr>
</tbody></table>
</div>
</div>
</div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<br />
<span style="color: #660000;"><u><b>Basic Client Configuration</b></u></span><br />
<span id="docs-internal-guid-3174d64d-d4a3-7528-cd0e-9a275cd570da" style="line-height: normal;">In addition to download this tar file, we will also need to set up a basic client config like the one below.</span><br />
<div class="screen">
<div dir="ltr">
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody style="font-family: inherit;">
<tr style="height: 0px;"><td style="background-color: black; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: #f1c232;"><span style="font-size: small;">client</span></span></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: #f1c232;"><span style="font-size: small;">dev tun<br />proto udp</span></span></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: #f1c232; font-family: inherit; font-size: small;">remote</span><span style="color: #f1c232; font-family: Arial; font-size: small;"><span style="line-height: 15px;"> ec2-example.compute-1.amazonaws.com</span></span><span style="color: #f1c232;"><span style="font-size: small;"><span style="font-family: inherit;"> 443</span><br />resolv-retry infinite</span></span></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: #f1c232;"><span style="font-size: small;">nobind<br />persist-key<br />persist-tun</span></span></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: #f1c232;"><span style="font-size: small;">ca ca.crt<br />cert client1.crt<br />key client1.key</span></span></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: #f1c232;"><span style="font-size: small;">ns-cert-type server</span></span><br />
<span style="color: #f1c232; font-family: inherit; line-height: 1.15;">comp-lzo</span></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: #f1c232;"><span style="font-size: small;">verb 3</span></span><span style="color: #f1c232; font-family: inherit; font-size: small;"></span><span style="font-size: x-small;"><span id="docs-internal-guid-3c5f473e-f1e5-6328-7860-a1c3d7c04112" style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span></span> </div>
</td></tr>
</tbody></table>
</div>
</div>
<br />
<br />
<u style="color: #660000;"><b>Configuring Client Software</b></u><br />
In general to configure a client, you will want to extract all the files from the tarball you downloaded and then copy all of these files along with the client configuration (see above) into one common folder. The last step is to <b>import or load</b> the <b>client configuration file.</b> Note that occasionally some clients will look for a file with a ovpn extension for import. This is simply a flat text configuration file (same as above).<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibUAhPGf09exTkt5uO4jPO3Vnnyv4GtiAy-d2YtRgG8rQCi8Fayx47KuAgKCB2rPWeTSkD7jrCz8yzTMt8As0IONWBU5ygx_ZPY0XRy_ndFsZCInjOuP-bd_Kvbi04nEgMU7noNM4dU24/s1600/Screenshot_2013-06-14-11-17-29.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibUAhPGf09exTkt5uO4jPO3Vnnyv4GtiAy-d2YtRgG8rQCi8Fayx47KuAgKCB2rPWeTSkD7jrCz8yzTMt8As0IONWBU5ygx_ZPY0XRy_ndFsZCInjOuP-bd_Kvbi04nEgMU7noNM4dU24/s1600/Screenshot_2013-06-14-11-17-29.png" height="320" width="180" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">OpenVPN Connect on Android</td></tr>
</tbody></table>
<br />
Keep in mind if you are adding new clients, that you will need to create new keypairs (see step #7).<br />
<br />
Some popular OpenVPN client software includes:<br />
<br />
<a href="http://openvpn.se/index.html" target="_blank">OpenVPN GUI for Windows</a><br />
<br />
<a href="https://code.google.com/p/tunnelblick/" target="_blank">TunnelBlick OpenVPNGUI for OSX</a><br />
<br />
<a href="https://play.google.com/store/apps/details?id=net.openvpn.openvpn&hl=en" target="_blank">OpenVPN Connect for Android</a><br />
<br />
<a href="https://itunes.apple.com/app/openvpn-connect/id590379981" target="_blank">OpenVPN Connect for IOS</a><br />
<br />
Troubleshooting: Most client software will give you a status indicator concerning whether your VPN tunnel is established. However you can also test this by pinging the remote tunnel interface on the OpenVPN server at 10.8.0.1.<br />
<div>
<b style="color: #660000; line-height: normal;"><span style="font-family: inherit; font-size: large;"><u><br /></u></span></b><b style="color: #660000; line-height: normal;"><span style="font-family: inherit; font-size: large;"><u><br /></u></span></b>
<b style="color: #660000; line-height: normal;"><span style="font-family: inherit; font-size: large;"><u><br /></u></span></b><br />
<b style="color: #660000; line-height: normal;"><span style="font-family: inherit; font-size: large;"><u><br /></u></span></b>
<b style="color: #660000; line-height: normal;"><span style="font-family: inherit; font-size: large;"><u><br /></u></span></b>
<b style="color: #660000; line-height: normal;"><span style="font-family: inherit; font-size: large;"><u><br /></u></span></b>
<b style="color: #660000; line-height: normal;"><span style="font-family: inherit; font-size: large;"><u><br /></u></span></b>
<b style="color: #660000; line-height: normal;"><span style="font-family: inherit; font-size: large;"><u><br /></u></span></b>
<b style="color: #660000; line-height: normal;"><span style="font-family: inherit; font-size: large;"><u>Ideas/Further Reading</u></span></b><br />
<br />
<a href="http://lifehacker.com/5940565/why-you-should-start-using-a-vpn-and-how-to-choose-the-best-one-for-your-needs" target="_blank">LifeHacker - Why You Should Starting Using a VPN</a><br />
<br />
<a href="http://www.howtogeek.com/178696/why-using-a-public-wi-fi-network-can-be-dangerous-even-when-accessing-encrypted-websites/">HowToGeek - Why Using Public-WIFI Networks Can Be Dangerous</a><br />
<br />
<a href="http://openvpn.net/index.php/open-source/documentation/howto.html" target="_blank">OpenVPN Official F.A.Q</a></div>
</div>
<div>
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-114124230733856093.post-88591393166745482642013-09-12T09:29:00.005-07:002013-09-13T05:31:04.347-07:0010 Useful Firefox Plugins For Pen-Testing<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7s8XYuKRNJ52Bo2oKaYIPQMSG-FdRgKoQxGuz1ND6wu_XpTu1EpQM6zLk6eb9Ck1Wqa1JjAQKew_FZCRNmh72GfQmWx6iASlWDJDah1TsUJO7LQL-wOZDaRIAXbIMSU852_UHdX9uJqI/s1600/EvilFoxSZ.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7s8XYuKRNJ52Bo2oKaYIPQMSG-FdRgKoQxGuz1ND6wu_XpTu1EpQM6zLk6eb9Ck1Wqa1JjAQKew_FZCRNmh72GfQmWx6iASlWDJDah1TsUJO7LQL-wOZDaRIAXbIMSU852_UHdX9uJqI/s1600/EvilFoxSZ.png" /></a></div>
<b><span style="color: #660000; font-size: large;">Weaponizing Your Web Browser </span></b><br />
An ordinary web-browser is already in many ways an extremely versatile security tool. However with the addition of just a few select plugins, you can also easily configure your browser to provide a application security assessment platform.<br />
<br />
While there are a large number of Firefox plugins that have utility for security assessments, there is also a great deal of feature overlap between several of these projects. For a more comprehensive list of Firefox pentest plugins you can my plugin collection listed here:<br />
<a href="https://addons.mozilla.org/en-US/firefox/collections/defendlink/defendlink-appsec-addons/" target="_blank">DefendLink - Appsec Addons Collection</a><br />
<br />
Here are 10 plugins that are extremely useful and provide unique functionality for application pen-testing (compatible with FF version 23.0 and above):<br />
<h3>
<span style="font-weight: normal;"><div dir="ltr">
<table style="border-collapse: collapse; border: none; width: 624px;"><tbody>
<tr style="height: 0px;"><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div style="text-align: center;">
<b><u><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">#</span><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">1</span><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span></u></b></div>
<div style="text-align: center;">
<span id="docs-internal-guid-03b95b9a-128b-a69f-9c19-d843ff2d9f94"><span id="docs-internal-guid-03b95b9a-128b-b7f1-565e-f0ef474b0b8e"><img height="32px;" src="https://lh3.googleusercontent.com/mVjO0F8mb1TGLygPF9LD7EWjZYDLH4odSJqlKRrCz-cus2ezGMrhZHBm1HJFkz-CQeEzI_EfFHAJyxKCwxtXr-AHZzXvAHOMJv2otN0hb-FNtq_rifMjs3vL" width="32px;" /></span></span><br />
<span style="color: #980000; font-family: Arial; font-size: 15px; font-weight: bold; white-space: pre-wrap;">HACKBAR</span><br />
<span style="color: #980000; font-family: Arial; font-size: 15px; font-weight: bold; white-space: pre-wrap;"><br /></span></div>
<span id="docs-internal-guid-03b95b9a-128b-b7f1-565e-f0ef474b0b8e">
</span>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-03b95b9a-128b-b7f1-565e-f0ef474b0b8e"><a href="https://addons.mozilla.org/en-us/firefox/addon/tamper-data/" style="text-decoration: none;"><span style="color: #1155cc; font-family: Arial; font-size: 11px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://addons.mozilla.org/en-us/firefox/addon/tamper-data/</span></a><span style="font-family: Arial; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"></span></span></div>
<span id="docs-internal-guid-03b95b9a-128b-b7f1-565e-f0ef474b0b8e">
<br /><span style="font-family: Arial; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-03b95b9a-128b-b7f1-565e-f0ef474b0b8e"><span style="font-family: Arial; font-size: 11px; line-height: 11px; text-align: center; white-space: pre-wrap;"> </span><u style="font-family: Arial; font-size: 11px; line-height: 11px; text-align: center; white-space: pre-wrap;">Developer</u></span></div>
<span id="docs-internal-guid-03b95b9a-128b-b7f1-565e-f0ef474b0b8e">
</span>
<br />
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-03b95b9a-128b-b7f1-565e-f0ef474b0b8e"><span style="font-family: Arial;"><span style="font-size: 11px; line-height: 11px; white-space: pre-wrap;">Johan Adriaans, Pedro Laguna</span></span></span></div>
<span id="docs-internal-guid-03b95b9a-128b-b7f1-565e-f0ef474b0b8e">
</span><span style="color: #274e13; font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"></span></td><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="font-family: Arial; font-size: 15px; line-height: 1; white-space: pre-wrap;">If you have some experience with web-application security testing, then Hackbar is definitely one of the most useful plugins. It automates many of the repetitive tasks involved in manually testing sites for flaws like XSS and SQLi.</span></div>
<span style="color: #274e13; font-family: Arial; font-size: 15px; font-weight: bold; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"></span></td><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><img height="71" src="https://lh5.googleusercontent.com/TeXqTBmod1yunTncYBvNW14gt1rcLE8MX461DVBvaoTo9gSU4DWPBE_tnhvxlwneAF_qkGtTgVsHBdlzSltBOvVx7NcCVUo27FH7vmHCwxed0auDP6wk4997YQ" width="320" /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></td></tr>
<tr style="height: 0px;"><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"><u>#2 </u></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="color: #274e13; font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://lh3.googleusercontent.com/JDGOfxNhjNrSOCvvkrfcd_PuxD-8p1wL4TQzGHcdczcpTtysBtmNlhGdr7OOHmAAu8Qmv8nv6eFUnfKabECQ2DVcEYviGFJRl0o9dQLQqoDylSHKqoYcZw5H" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="34px;" src="https://lh3.googleusercontent.com/JDGOfxNhjNrSOCvvkrfcd_PuxD-8p1wL4TQzGHcdczcpTtysBtmNlhGdr7OOHmAAu8Qmv8nv6eFUnfKabECQ2DVcEYviGFJRl0o9dQLQqoDylSHKqoYcZw5H" width="34px;" /></a></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="font-family: Arial; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"><span style="color: #980000; font-size: 15px; font-weight: bold; line-height: 15px;">TAMPERDATA</span></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<a href="https://addons.mozilla.org/en-us/firefox/addon/tamper-data/" style="text-decoration: none;"><span style="color: #1155cc; font-family: Arial; font-size: 11px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://addons.mozilla.org/en-us/firefox/addon/tamper-data/</span></a><span style="font-family: Arial; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<br />
<div style="text-align: center;">
<u style="font-family: Arial; font-size: 11px; line-height: 11px; white-space: pre-wrap;">Developer</u></div>
<div style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: xx-small;"><a href="http://tamperdata.mozdev.org/" target="_blank">Adam Judson</a></span></div>
<br />
<span style="color: #274e13; font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"></span></td><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Tamperdata allows you to directly </span><span style="background-color: #fcfdfe; font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">view and modify HTTP/HTTPS headers and post parameters. It's amazing how many web app are still vulnerable to this and rely on client-side input validation.</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></div>
</td><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><img height="240" src="https://lh6.googleusercontent.com/Bpa3zLxPIk49LmKZyxivWLhas8hqBKlX90vgtqKFyuQJil8csqQlUUAbCnQ4cQ9s75Cl1tLNSWGRThbZ0FjDKJ95RC5s6-EBsTVR_XYoZKV3os_mcCMRX9S_" width="320" /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></td></tr>
<tr style="height: 0px;"><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><b><u>#3</u></b></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<img height="32px;" src="https://lh6.googleusercontent.com/Z3yacrhGWl7hhRYG5DEHD9jy74ycthkSSE2OhZTPkWd15MdhbxZ1GENzeJIo0UEVR84FPCDe2CMftaYl5ZlDE1DaQsfl6nBoSwpP61spA0RFNUh74bjHjKjj" width="32px;" /><span style="color: #274e13; font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="color: #980000; font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"> FIREBUG</span><span style="color: #274e13; font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"> </span><br />
<span style="color: #274e13; font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<a href="https://addons.mozilla.org/en-US/firefox/addon/firebug/" style="text-decoration: none;"><span style="color: #1155cc; font-family: Arial; font-size: 11px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://addons.mozilla.org/en-US/firefox/addon/firebug/</span></a><span style="font-family: Arial; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<br />
<span style="color: #274e13; font-family: Arial; font-size: 11px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: center;">
<u style="font-family: Arial; font-size: 11px; line-height: 11px; white-space: pre-wrap;">Developer</u></div>
</div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: center;">
<a href="http://www.softwareishard.com/blog/about/" style="text-decoration: none;"><span style="color: #1155cc; font-family: Arial; font-size: 11px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Jan Odvarko</span></a><span style="color: #274e13; font-family: Arial; font-size: 11px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"></span></div>
</div>
<br />
<span style="color: #274e13; font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"></span></td><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 15px; line-height: 1; white-space: pre-wrap;">Firebug is an extremely versatile tool and well documented tool. While the emphasis of the tool is debugging, it also has utility for penetration testing due to the ability to quickly dissect the structure of page as well as directly modify page elements.</span></div>
<span style="color: #274e13; font-family: Arial; font-size: 15px; font-weight: bold; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"></span></td><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><br />
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span><img height="157px;" src="https://lh4.googleusercontent.com/CHDGxUw4kbVw9p_cFERzMCq3902Nt0Ojz1sDBG6a1IRW6_OK6Lo0lbMECqeI66BR_sV7-zlhnaXkwqJdkbV-iwAmOxF8kC2p5n5xn6HVPZglHNIURQO2sOgxew" width="195px;" /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></td></tr>
<tr style="height: 0px;"><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div class="" style="clear: both; text-align: center;">
<b><u><span style="font-family: Arial; font-size: 15px; text-align: start; vertical-align: baseline; white-space: pre-wrap;">#</span><span style="font-family: Arial; font-size: 15px; text-align: start; vertical-align: baseline; white-space: pre-wrap;">4 </span></u></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://lh3.googleusercontent.com/JDGOfxNhjNrSOCvvkrfcd_PuxD-8p1wL4TQzGHcdczcpTtysBtmNlhGdr7OOHmAAu8Qmv8nv6eFUnfKabECQ2DVcEYviGFJRl0o9dQLQqoDylSHKqoYcZw5H" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="34px;" src="https://lh3.googleusercontent.com/JDGOfxNhjNrSOCvvkrfcd_PuxD-8p1wL4TQzGHcdczcpTtysBtmNlhGdr7OOHmAAu8Qmv8nv6eFUnfKabECQ2DVcEYviGFJRl0o9dQLQqoDylSHKqoYcZw5H" width="34px;" /></a></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="color: #980000; font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">WAPPALYZER</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<br />
<span style="color: #1155cc; font-family: Arial; font-size: 11px; line-height: 1; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/" style="line-height: 1; text-decoration: none;">https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/</a></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: center;">
<u style="font-family: Arial; font-size: 11px; line-height: 11px; white-space: pre-wrap;">Developer</u></div>
</div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: center;">
<span style="font-family: Arial; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;">Elbert Alias</span></div>
</div>
</td><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="font-family: Arial; font-size: 15px; line-height: 1; white-space: pre-wrap;">Wapplazyer allows for the detection of web application components including CMS software, CDN, operating systems, and web server revisions.</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: #274e13; font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"></span></div>
</td><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><img height="213px;" src="https://lh4.googleusercontent.com/UnMdwzU5BFKg385Tg1ZqYtMAez_zG2OG6vygTd3E4ZbCU5JyglzdAnZQnhMqFK14cvKqLQqvPjCY87-UFtY3a-RRlDllz9Y0m3MS6_jLPyNyeb27fy9XwbMpuA" width="103px;" /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></td></tr>
<tr style="height: 0px;"><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">#5 </span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqnqvdD6EsgrfDil4RoEa4yIyp48L8zG_1dHgQzYDeBrxZNkUlJUueygU9hFwfUFY7zX8nQxXIDdEr0nZok9sPOhcrrN71_0pYAaOQa-NN5X614A_1AlRU4hBapFNcqIQCTb8fQRlcMFI/s1600/7598-64.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqnqvdD6EsgrfDil4RoEa4yIyp48L8zG_1dHgQzYDeBrxZNkUlJUueygU9hFwfUFY7zX8nQxXIDdEr0nZok9sPOhcrrN71_0pYAaOQa-NN5X614A_1AlRU4hBapFNcqIQCTb8fQRlcMFI/s1600/7598-64.png" /></a></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="color: #980000; font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">XSSME</span><br />
<br />
<span style="color: #1155cc; font-family: Arial; font-size: 11px; line-height: 1; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://addons.mozilla.org/en-us/firefox/addon/xss-me/" style="line-height: 1; text-decoration: none;">https://addons.mozilla.org/en-us/firefox/addon/xss-me/</a></span></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: center;">
<u style="font-family: Arial; font-size: 11px; line-height: 11px; white-space: pre-wrap;">Developer</u></div>
</div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: center;">
<a href="http://www.securitycompass.com/" style="text-decoration: none;"><span style="color: black; font-family: Arial; font-size: 11px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">SecurityCompass</span></a><span style="font-family: Arial; font-size: 11px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
</div>
<br />
<span style="color: #274e13; font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"></span></td><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 15px; line-height: 1; white-space: pre-wrap;">XSSME allows for scanning web forms for common cross-site-scripting reflection attacks (non-persistent only).</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: #274e13; font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"></span></div>
</td><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><img height="85px;" src="https://lh3.googleusercontent.com/uNRmO0D50TD6JarOKH_0BycH3V1N0F_KOHrx-slscE0lc4WX_k_ENCXDySKITHzVm6vM3g0tF5at6IaVnd21YsPfaDQhxLOsGMBu532421jBF3zVKqCLylEDUg" width="202px;" /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></td></tr>
<tr style="height: 0px;"><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">#6 </span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipnpiPfb88dzmOo7Qj753UXlb0dxEJ-53YqWR8XevqUWuWKqJEoH5bMS1tO6IM_UtfH2epDH7bmxCvVyUxrSiWf-mXlwxyxWW1SL5lrYYgXv8YmAbDHu0gTBerEWARfnPVrvW8Y15iQfE/s1600/7598-64.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipnpiPfb88dzmOo7Qj753UXlb0dxEJ-53YqWR8XevqUWuWKqJEoH5bMS1tO6IM_UtfH2epDH7bmxCvVyUxrSiWf-mXlwxyxWW1SL5lrYYgXv8YmAbDHu0gTBerEWARfnPVrvW8Y15iQfE/s1600/7598-64.png" /></a></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="color: #980000; font-family: Arial; font-size: 15px; font-weight: bold; line-height: 1; white-space: pre-wrap;">SQL Inject Me</span><br />
<span style="color: #980000; font-family: Arial; font-size: 15px; font-weight: bold; line-height: 1; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<a href="https://addons.mozilla.org/en-us/firefox/addon/xss-me/" style="text-decoration: none;"><span style="color: #1155cc; font-family: Arial; font-size: 11px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://addons.mozilla.org/en-us/firefox/addon/xss-me/</span></a><span style="color: #274e13; font-family: Arial; font-size: 11px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: center;">
<u style="font-family: Arial; font-size: 11px; line-height: 11px; white-space: pre-wrap;">Developer</u></div>
</div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: center;">
<a href="http://www.securitycompass.com/" style="text-decoration: none;"><span style="color: black; font-family: Arial; font-size: 11px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">SecurityCompass</span></a><span style="font-family: Arial; font-size: 11px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #274e13; font-family: Arial; font-size: 11px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"></span></div>
</div>
</td><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 15px; line-height: 1; white-space: pre-wrap;">In similar vein to XSSME, SecurityCompass’s other plugin allows for testing of common SQLi injection flaws right from the browser.</span></div>
</td><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><img height="82px;" src="https://lh4.googleusercontent.com/XDXdzfM8lgckWA-wG0Dk9o7Q9lgJJY0fMeKPANT0O9haGesfGGRHiQ2NOZmCn42mM36tIbQ7yRDR4XNgoNMcnrk4KDvAEA19NVjLLJsU3vyXgjnRN8ewiph2IA" width="195px;" /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></td></tr>
<tr style="height: 0px;"><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">#7 </span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTeKqANDASh_qieFQGtQENok99jUxXQNcFLvkBTZfxE6Do7eSEoUJIJIkdUNVFZ4giSlmQ4mKZCwOifoVeMEjLJ-PhekLO9MakAzwpN7hiC4xnKoD3CpLXQhJ0x2Yk8HkFQkwzUxVMJ7Y/s1600/6196-64.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTeKqANDASh_qieFQGtQENok99jUxXQNcFLvkBTZfxE6Do7eSEoUJIJIkdUNVFZ4giSlmQ4mKZCwOifoVeMEjLJ-PhekLO9MakAzwpN7hiC4xnKoD3CpLXQhJ0x2Yk8HkFQkwzUxVMJ7Y/s1600/6196-64.png" /></a></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="color: #980000; font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">PASSIVERECON</span></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<a href="https://addons.mozilla.org/en-US/firefox/addon/passiverecon/" style="text-decoration: none;"><span style="color: #1155cc; font-family: Arial; font-size: 11px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://addons.mozilla.org/en-US/firefox/addon/passiverecon/</span></a><span style="font-family: Arial; font-size: 11px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<br />
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: center;">
<span style="font-family: Arial;"><span style="font-size: 11px; line-height: 11px; white-space: pre-wrap;"><u>Developer</u></span></span></div>
</div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: center;">
<a href="http://www.securitycompass.com/" style="text-decoration: none;"><span style="color: black; font-family: Arial; font-size: 11px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">SecurityCompass</span></a><span style="font-family: Arial; font-size: 11px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="font-family: Arial; font-size: 11px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"></span></div>
</div>
</td><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 15px; line-height: 1; white-space: pre-wrap;">Passive recon provides a number of quick-fire shortcuts for performing</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">standard profiling of a web-site and its online content in a convenient manner. </span><br />
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">It's launched from within the context-menu of the browser. The "Show All" option does a quick info dump on the site.</span></div>
<br />
<span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="color: #274e13; font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"></span></td><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><img height="125px;" src="https://lh6.googleusercontent.com/mkR3pEhaJApPzYhJA3OSR7E5U1zechQCnHcbyPqcZNAYCeKGyUlBYGsRnC4Y3L15wCaSEa4u1Fky_KPyB9aYeBET2Cz30FeG4WiDDGGLp-SEROPPA0h_g_SGqQ" width="267px;" /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></td></tr>
<tr style="height: 0px;"><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">#8 </span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<img height="36px;" src="https://lh5.googleusercontent.com/MwhkKsvFLrlAd_Qb2I5VgE9fYigMoXwIH_qMCx0K-OGy0w6A0M5-R8KttxEDe-3YA1n76K5AerXhfFqUJBgpC-LFo6hkK1K8jRYYj3TkPl9qaFVkVkDa5fTZIw" style="line-height: 1;" width="38px;" /></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: #980000; font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="color: #980000; font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">FOXYPROXY</span></div>
<div style="text-align: center;">
<br /></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<a href="https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/"><span style="font-family: Arial, Helvetica, sans-serif; font-size: xx-small;">https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/</span></a></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: center;">
<u style="font-family: Arial; font-size: 11px; line-height: 11px; white-space: pre-wrap;">Developer</u></div>
</div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: center;">
<a href="http://getfoxyproxy.org/" style="text-decoration: none;"><span style="color: #1155cc; font-family: Arial; font-size: 11px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Eric H. Jung</span></a><span style="font-family: Arial; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"></span></div>
</div>
</td><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 15px; line-height: 1; white-space: pre-wrap;">FoxyProxy is a Firefox extension which automatically switches an internet connection across one or more proxy servers based on URL patterns. (Handy for toggling between interception proxies like ZAP, Burpesuite, etc).</span></div>
</td><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><img height="126px;" src="https://lh3.googleusercontent.com/FLHC4H_8O59a99pF8uTuYnvq8dMZdgG43loYLraPLrSIMglEQZ9RVzmd05nv_ZX3N-bWbyrBydM80Ygd2OgYgeI3F57w4yKkVq4i4LtPoP3tH-U1Bz7SlRGQ" width="193px;" /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></td></tr>
<tr style="height: 0px;"><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: #980000; font-family: Arial; font-size: 15px; font-weight: bold; line-height: 15px; text-align: center; white-space: pre-wrap;"> </span><span style="font-family: Arial; font-size: 15px; font-weight: bold; line-height: 15px; text-align: center; white-space: pre-wrap;"> #9</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggQC_e0vtfsV7UmplSN9MaiaWEOexGoQB_2AFEuI1HI6t5E5KaJTx_n4K8klCQS8PyuliJhZjrm_-cSwXHBW0mYO4C4e3jZpLi7iHk6SOXgyBbTM3-yDo1_yj57W4JNw5aDoWOWYZOtgw/s1600/92079-64.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggQC_e0vtfsV7UmplSN9MaiaWEOexGoQB_2AFEuI1HI6t5E5KaJTx_n4K8klCQS8PyuliJhZjrm_-cSwXHBW0mYO4C4e3jZpLi7iHk6SOXgyBbTM3-yDo1_yj57W4JNw5aDoWOWYZOtgw/s1600/92079-64.png" /></a></div>
<span style="color: #980000; font-family: Arial; font-size: 15px; font-weight: bold; line-height: 15px; text-align: center; white-space: pre-wrap;"> COOKIES </span><br />
<span style="color: #980000; font-family: Arial; font-size: 15px; font-weight: bold; line-height: 15px; text-align: center; white-space: pre-wrap;"> MANAGER+</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: #980000; font-family: Arial; font-size: 15px; font-weight: bold; line-height: 15px; text-align: center; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: xx-small; vertical-align: baseline; white-space: pre-wrap;"><a href="https://addons.mozilla.org/en-us/firefox/addon/cookies-manager-plus">https://addons.mozilla.org/en-us/firefox/addon/cookies-manager-plus</a></span><span style="font-family: Arial; font-size: 12px; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
</td><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><span style="font-family: Arial; font-size: 15px; line-height: 15px; white-space: pre-wrap;">Cookies Manager+ provides an easy way to v</span><span style="background-color: #fcfdfe; font-family: Georgia, serif; font-size: 16px; line-height: 20px;">iew, edit and create new cookies. </span><br />
<span style="background-color: #fcfdfe; font-family: Georgia, serif; font-size: 16px; line-height: 20px;">It also shows extra information about cookies, allows edit multiple cookies at once and backup/restore them.</span></td><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLqnqCeqxTfRdlleF2aOjCXLzG2AA5gzzy3k4AEh3e5AUPELTXD4GrC2ZvZLndYYowSHtVCnB7OMEe_97O-eNHr-HSh8VGjeT3Hfl0ZIHXSHBUXAv6w2Oif0FmxkEN8RrBuMK4zZ-yDhk/s1600/56090+(3).png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLqnqCeqxTfRdlleF2aOjCXLzG2AA5gzzy3k4AEh3e5AUPELTXD4GrC2ZvZLndYYowSHtVCnB7OMEe_97O-eNHr-HSh8VGjeT3Hfl0ZIHXSHBUXAv6w2Oif0FmxkEN8RrBuMK4zZ-yDhk/s1600/56090+(3).png" height="256" width="320" /></a></div>
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></td></tr>
<tr style="height: 0px;"><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">#10 </span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXEmMM2I0KPEpfJEmdiVqVFt1_soSx6U6t3w4fdSXYw3-S6Plc88MvwAFtpHMBD7dktVNBD_ssTwgClko3kqrKeO226tg-keLVDTSFCT3Qx2On1v8b3CJGChVADl9d332eStowjVZGKdM/s1600/59-64.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXEmMM2I0KPEpfJEmdiVqVFt1_soSx6U6t3w4fdSXYw3-S6Plc88MvwAFtpHMBD7dktVNBD_ssTwgClko3kqrKeO226tg-keLVDTSFCT3Qx2On1v8b3CJGChVADl9d332eStowjVZGKdM/s1600/59-64.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: #660000; font-family: Arial; font-size: 15px; font-weight: bold; line-height: 1; white-space: pre-wrap;">AGENT SWITCHER</span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: #660000; font-family: Arial; font-size: 15px; font-weight: bold; line-height: 1; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: #1155cc; font-family: Arial; font-size: 11px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://addons.mozilla.org/en-us/firefox/addon/user-agent-switcher/" style="text-decoration: none;">https://addons.mozilla.org/en-us/firefox/addon/user-agent-switcher/</a></span><span style="color: #274e13; font-family: Arial; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<br />
<br />
<div style="text-align: center;">
<u style="font-family: Arial; font-size: 11px; line-height: 11px; white-space: pre-wrap;">Developer</u></div>
<span style="font-family: Arial; font-size: 11px; line-height: 11px; white-space: pre-wrap;"></span><br />
<div style="text-align: center;">
<span style="font-family: Arial; font-size: 11px; line-height: 11px; white-space: pre-wrap;"><a href="http://chrispederick.com/" target="_blank">Chris Pederick</a></span></div>
<span style="font-family: Arial; font-size: 11px; line-height: 11px; white-space: pre-wrap;">
</span>
<br />
<div style="text-align: center;">
<br />
<span style="color: #274e13; font-family: Arial; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"></span></div>
</td><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><span style="font-family: Arial; font-size: 15px; line-height: 15px; text-align: center; white-space: pre-wrap;"> </span><span style="background-color: #fcfdfe; font-family: Georgia, serif; font-size: 16px; line-height: 20px;">The User Agent Switcher extension adds a menu and a toolbar button to alter the user agent of a browser. This plugin includes common user agents for mobile platforms, and web spiders as well.</span><span style="color: #274e13; font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"></span></td><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><img height="123px;" src="https://lh4.googleusercontent.com/RyHWwmmb1f99PiIbK2IumXVJbQypcOKsEmZq0mI9TLcsdkqXsPMockM9650YZw0dOmCWTRH9vD4VdPNm1z3k_EtDTfiRSp3yXrY4RpL3bhPTFmdYzPsKToDXAQ" width="279px;" /></td></tr>
</tbody></table>
</div>
<u style="background-color: white; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px;"><span style="color: #660000; font-size: small;"><b><h2>
<u style="font-size: 13px; font-weight: normal;"><span style="color: #660000; font-size: small;"><b>Conclusion</b></span></u></h2>
</b></span></u></span></h3>
<h3>
<span style="font-size: small; font-weight: normal;">You might ask with so many feature-rich web application scanners on the market why even bother with browser extensions? The simple answer is that the</span><span style="font-size: small;"> <span style="font-weight: normal;">true </span>a</span><span style="font-size: small;">pplication security assessments should never rely solely on scan results</span><span style="font-size: small; font-weight: normal;"> but instead take the time and effort required to validate vulnerabilities as well uncover the many issues <a href="http://sectoolmarket.com/" target="_blank">that scanners often will not detect</a>. The </span><span style="font-size: small; font-weight: normal;"> plugins listed above provide functionality that can accelerate this manual review and validation efforts. </span></h3>
<h3>
<div style="background-color: white; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; font-weight: normal; line-height: 18px;">
<h2>
<u><span style="color: #660000; font-size: small;"><b>Ideas/Further Reading?</b></span></u></h2>
<h2>
<div style="font-size: 13px; font-weight: normal;">
OWASP Top 10 : <a href="https://www.owasp.org/index.php/Top_10_2013-Top_10">https://www.owasp.org/index.php/Top_10_2013-Top_10</a></div>
<div style="font-size: 13px; font-weight: normal;">
<br /></div>
<div style="font-size: 13px;">
<span style="font-weight: normal;">OWASP WebGoat: <span id="goog_653445416"></span><a href="https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project" target="_blank">https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project</a></span><a href="https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project" target="_blank"> </a><a href="https://www.blogger.com/"><span id="goog_653445417"></span></a></div>
<div style="font-size: 13px;">
<span style="font-weight: normal;">(Great set of problems for practicing your exploit skills).</span></div>
<div>
<span style="font-size: 13px; font-weight: normal;"><br /></span></div>
<div>
<span style="font-size: 13px; font-weight: normal;">What plugins do you find most useful for pen-testing? Do you have any experience using chrome extensions for web application assessments? I'd love to hear your thoughts.</span></div>
</h2>
</div>
<div style="background-color: white; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px;">
<div style="font-weight: normal;">
<br /></div>
</div>
<span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: bold; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"></span><div dir="ltr">
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col><col width="*"></col></colgroup></table>
</div>
<br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: bold; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"></span><div dir="ltr">
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col><col width="*"></col></colgroup></table>
</div>
<br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span></h3>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-114124230733856093.post-88495643636208111702013-08-15T08:49:00.000-07:002013-08-16T08:48:14.826-07:00Modeling IR Program Maturity<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgs3LSQFcyyFmMSgPGwW9WulGENMIFXYQqVWHtLcoSj01yQVW5SOSpecFSAvWw3Doa7K0Gzqub_FFERyAyV3-1v2leFJlCK_t3jY_aOg76x_OwFfthenUDIZ-bvUKJi9pUeuadFVfYgZ_k/s1600/process-maturity-curve1.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgs3LSQFcyyFmMSgPGwW9WulGENMIFXYQqVWHtLcoSj01yQVW5SOSpecFSAvWw3Doa7K0Gzqub_FFERyAyV3-1v2leFJlCK_t3jY_aOg76x_OwFfthenUDIZ-bvUKJi9pUeuadFVfYgZ_k/s1600/process-maturity-curve1.png" height="198" width="320" /></a></div>
If you ask IT managers about improving something, you're very likely to get some kind of response that is grounded in the notion of process maturity. One of the most common ways of considering process maturity at a high-level is the <a href="https://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration" target="_blank">Capability Maturity Model Integration</a> model (CMMI) developed by Carnegie Melon University.<br />
<br />
CMMI models often contain five levels of process maturity ranging from ad-hoc processes (heroics) to processes that are highly optimized (continual improvement).<br />
<br />
It is interesting to consider how Incident Response maturity levels might be expressed using a CMMI perspective and what type of differentiating processes might be found at each level of development. In a recent talk, I offered my own take on IR maturity and capability levels (see diagram below).<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRWSWosGtU2DQYJATudVhynhf2thraDRzU7IM_LXcqiXevISaYebR4cazD9N_Smu6XPn-ClNHiU_mVT1hbrM6q7q-SLeWFvjAq1v86Fnu-3NJoz-V3VFGfmvLrYf8_nnvTNQWIai83v1M/s1600/IR+CMMI+Model+(3).jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRWSWosGtU2DQYJATudVhynhf2thraDRzU7IM_LXcqiXevISaYebR4cazD9N_Smu6XPn-ClNHiU_mVT1hbrM6q7q-SLeWFvjAq1v86Fnu-3NJoz-V3VFGfmvLrYf8_nnvTNQWIai83v1M/s1600/IR+CMMI+Model+(3).jpg" height="475" width="640" /></a></div>
<br />
This model takes into account two core capabilities that are critical to IR success:<br />
<ul>
<li><b>Threat Awareness</b> - Our ability to have accurate and reliable information concerning the presence of threat actors, their intentions, their historical activities, and how our defenses relate to all of the aforementioned.</li>
<li><b>Agility</b> - Our ability to quickly and sufficiently isolate, eradicate, and return the business to normal operations.</li>
</ul>
<div>
By relating these two attributes to common and/or emerging IR program states, we can map out roughly five stages of maturity and capability:</div>
<div>
<b><u><br /></u></b>
<b><u><span style="color: #660000; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: medium;"><span style="line-height: 18px;">Levels/Stages</span></span></u></b><br />
<b><u><span style="color: #660000; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: medium;"><span style="line-height: 18px;"><br /></span></span></u></b>
<b><u><span style="color: #073763;">Level 1 Reactive / Adhoc</span></u></b></div>
<div>
This is the "nuke-from-orbit" approach that, unfortunately, too many organizations still employ when they discover a compromised asset. By re-imaging or restoring the system from backups, it is possible to get back to business very quickly (high agility), but no real knowledge is gained of how the system was hacked, why it was hacked, and what it was used for once compromised (threat awareness).</div>
<div>
<br /></div>
<div>
<b><u><span style="color: #073763;">Level 2 Tool Driven / Signature Based</span></u></b></div>
<div>
At this phase, organizations adopt automated tools that look for potential compromises in the environment. These are often signature driven tools (AV, IDS, etc) that provide some automated alerts of potential compromises. Remediation of these compromised systems is also driven by tools sometimes in an effort to "clean" a system of compromise (which is incidentally not a good idea).<br />
<br /></div>
<div>
<b><u><span style="color: #073763;">Level 3 Process Driven</span></u></b></div>
<div>
At this phase, organizations have adopted internal formal IR roles, processes, and governance structures. For many organizations, this is the ideal state of operations where attacks are detected, analyzed, and addressed in a cost-effective and repeatable manner. The only deficiency with this model is that dealing with targeted attacks requires more than just good processes. </div>
<div>
Important Papers/Documentation: <a href="http://csrc.nist.gov/publications/drafts/800-61-rev2/draft-sp800-61rev2.pdf%E2%80%8E" target="_blank">NIST 800-61</a><br />
<br /></div>
<div>
<b><u><span style="color: #073763;">Level 4 Intelligence Driven</span></u></b></div>
<div>
For many large organizations, intelligence-driven IR is the now the goal due to the prevalence of APT risks. This IR level requires having a more detailed and up-to-date understanding of threat actors including their objectives, motivation, and their TTP profile (tools, tactics, procedures). This knowledge of adversarial disposition is then used to architect security defenses and detective controls in a manner that allows for discrete actions to be taken to disrupt, degrade, and deny the ability of an adversary to reach their objectives.<br />
Important Papers/Documentation: <a href="https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CDIQFjAA&url=http%3A%2F%2Fwww.lockheedmartin.com%2Fcontent%2Fdam%2Flockheed%2Fdata%2Fcorporate%2Fdocuments%2FLM-White-Paper-Intel-Driven-Defense.pdf&ei=D_MMUvzkGYzUyQGS1oHQDg&usg=AFQjCNHIIPq8g4rl2LEnXqGQUkBlXWIYJg&sig2=wwUAcl5BUZNAluKIwhXxOA&bvm=bv.50723672,d.aWc" target="_blank">Intelligence Driven Computer Network Defense</a> (Lockheed Martin)<br />
<span style="color: #660000;"><b><u><br /></u></b></span>
<b><u><span style="color: #073763;">Level 5 Predictive Defense</span></u></b></div>
<div>
Predictive defense is still an area that is very new. Terms like "active defense" seem to also be used describe this level of operations but cause a great deal of confusion. At its heart this approach involves convergence of IR processes and adaptive defensive architecture that can be used to "waylay" adversaries when they enter, operate, and move within protected environments. I suspect one of the key characteristics of this model will ultimately be the ability to develop capabilities that allow <a href="https://en.wikipedia.org/wiki/Denial_and_deception" target="_blank">deception and denial operations</a>.<br />
<br />
For an idea of what this might look like, check out this presentation by MITRE researchers:</div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<object class="BLOGGER-youtube-video" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" data-thumbnail-src="https://ytimg.googleusercontent.com/vi/9g_HLNXiLto/0.jpg" height="266" width="320"><param name="movie" value="https://youtube.googleapis.com/v/9g_HLNXiLto&source=uds" /><param name="bgcolor" value="#FFFFFF" /><param name="allowFullScreen" value="true" /><embed width="320" height="266" src="https://youtube.googleapis.com/v/9g_HLNXiLto&source=uds" type="application/x-shockwave-flash" allowfullscreen="true"></embed></object></div>
<h1 class="yt" id="watch-headline-title" style="border: 0px; color: #222222; font-family: arial, sans-serif; font-weight: normal; margin: 0px 0px 13px; overflow: hidden; padding: 0px; text-align: center;">
<span class="watch-title long-title yt-uix-expander-head" dir="ltr" id="eow-title" style="-webkit-user-select: auto; border: 0px; color: black; cursor: pointer; letter-spacing: -0.05em; margin: 0px; padding: 0px;" title="2013-03-20 CERIAS - Active Cyber Network Defense with Denial and Deception"><span style="font-size: small;">Active Cyber Network Defense with Denial </span></span></h1>
</div>
<div>
<span style="color: #660000; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: medium;"><span style="line-height: 18px;"><b><u><br /></u></b></span></span>
<span style="color: #660000; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: medium;"><span style="line-height: 18px;"><b><u>Finding The Right Level</u></b></span></span><br />
It is important for us to consider our IR program maturity and capabilities in relation the threats that we are <u>most likely</u> to face and the scope of impact these threats can create.<br />
<br />
If you are a SMB, then it probably doesn't make a great deal of financial sense to go beyond a level 3 state of preparedness (having a maintained plan, concrete roles/responsibilities, lines of communication, established response procedures). Getting to this point is in fact a great deal of work for many organizations and allows for cost-effective management of the lion's share of security incidents related to "drive-by attacks".<br />
<br />
However if your organization maintains valuable intellectual property or has a highly recognized brand, then you've probably already realize that just having a formal IR plan and processes is not sufficient to deal with the risk of targeted intrusions. For these risks, we have to begin to think more in terms of chess than checkers. A great place to start thinking about some of these issues is the seminal paper <a href="https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CDIQFjAA&url=http%3A%2F%2Fwww.lockheedmartin.com%2Fcontent%2Fdam%2Flockheed%2Fdata%2Fcorporate%2Fdocuments%2FLM-White-Paper-Intel-Driven-Defense.pdf&ei=D_MMUvzkGYzUyQGS1oHQDg&usg=AFQjCNHIIPq8g4rl2LEnXqGQUkBlXWIYJg&sig2=wwUAcl5BUZNAluKIwhXxOA&bvm=bv.50723672,d.aWc" target="_blank">Intelligence Driven Computer Network Defense</a>.<br />
<br /></div>
<div>
<u style="background-color: white; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px;"><span style="color: #660000; font-size: medium;"><b>Ideas/Further Reading?</b></span></u></div>
What are your ideas about how IR process maturity and capabilities can be logically grouped? Is a five stage model sufficient? I'd love to hear your thoughts.<br />
<br />
<span style="background-color: white; line-height: 18px;"><span style="font-family: Trebuchet MS, sans-serif;"><a href="http://sourceforge.net/projects/adhd/?source=dlp" style="color: #555555;" target="_blank">Active Defense Harbinger Distribution (ADHD)</a><span style="color: #555555;"> - </span>( Linux distro that SANS uses in their active defense classes.)</span></span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif; font-weight: normal;"><a href="http://www.darkreading.com/attacks-breaches/how-lockheed-martins-kill-chain-stopped/240148399" target="_blank">How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack</a> (Short article on Kill Chain Framework)</span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><span style="font-weight: normal;"><br /></span>
</span><br />
<span style="font-family: Trebuchet MS, sans-serif; font-weight: normal;"><a href="https://upload.wikimedia.org/wikipedia/commons/7/73/Advanced_persistent_threat_lifecycle.jpg" target="_blank">Diagram APT Life-Cycle</a></span><br />
<br />
<span style="font-size: x-small;"> </span><br />
<br />
<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-114124230733856093.post-66699465706643540312013-07-26T08:20:00.000-07:002013-07-29T05:41:28.746-07:00How To Get More From Your IT Certs<div style="text-align: right;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimhb2MnmgFwbWy0-AeG3FiJFUFbkR-QeYBCKiRkn7TO5e6Yp1cVm8GAku26I55NhmjTlA1YmCVMQln5UP0o5vaPSKHgX6ERhAQyY2NJ_1PNvn15LOlXd0nss2plOtWPOEgAoI-4ibQW28/s1600/7368198092_67bd902551_z.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimhb2MnmgFwbWy0-AeG3FiJFUFbkR-QeYBCKiRkn7TO5e6Yp1cVm8GAku26I55NhmjTlA1YmCVMQln5UP0o5vaPSKHgX6ERhAQyY2NJ_1PNvn15LOlXd0nss2plOtWPOEgAoI-4ibQW28/s1600/7368198092_67bd902551_z.jpg" height="202" width="320" /></a></div>
<span style="text-align: right;">As many of us are keenly aware, the information technology and security certification process is far from ideal. There are more than a few <a href="http://www.infosecisland.com/blogview/22257-Your-CISSP-is-Worthless-So-Now-What.html" target="_blank">legitimate concerns about what we are actually getting</a> out of expensive efforts to produce a highly certified labor force (noting that this isn't always correlated with highly skilled). One thing however that is interesting in these types of discussions is that we have a natural tendency to focus on what <b><u>others</u></b> should be doing: certification bodies, HR departments, etc...</span><br />
<span style="text-align: right;"><br /></span>
<span style="text-align: right;">While it is easy to criticize others, it is much harder to determine if there are things that <b><u>we can do ourselves</u></b> to make things better. </span><span style="text-align: right;">Along that line of thought, here are some ideas on ways that you </span><span style="text-align: right;">can get the most real benefit from your own certification efforts: </span><br />
<div>
<div style="text-align: left;">
<span style="color: #660000; font-size: large; font-weight: bold; text-decoration: underline;"><br /></span>
<span style="color: #660000; font-size: large; font-weight: bold; text-decoration: underline;">Forget About "The Test"</span></div>
<div style="text-align: left;">
When you think about IT/IS certification there are probably a few things that flash though your mind: studying, jobs, money, bragging rights, and the test. It is usually that last item that gives people the most anxiety. This anxiety actually causes a lot of folks to view certifications as a testing challenge. If you look at certification attempts in this way you often end up focusing 100% of your energy on <u>just</u> passing the eventual exam. The truth is that you can study for a test even without really having a deep understanding of the material the tests covers; This approach involves a form of intelligent guessing anchored to some rote memorization. You can get really good at this approach and "defeat" many exams. However at the end of this process, you've only gotten better at taking tests and not at the actual material that the test is built around.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
A better way to look at a certification attempt is as an opportunity for formal study of a body of material. Every time you prepare for a certification, you should think about the competencies that the program is attempting to establish as a foundation. Actually if the certification is not explicit about this, then you yourself should write down all concepts, methods, and practices that you should be able to competently manage at the end of your studies. You should then build your study plan around addressing those areas that you are deficient and hammer these hard. This is the real work behind a certification attempt. When you can<u> prove to yourself</u> that you meet the baseline competencies that the certification covers, then begin to focus on the test. Ironically, you may have to study the exam at that stage to translate your knowledge into the confines of the examination process. However if you've done things in the right order and not cheated yourself out of garnering real knowledge and capability, then preparing for the test really is often an very easy task. The important thing is not confusing the two objectives; Passing the exam is not the same as deserving the certification. </div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="text-align: left;">
<u><span style="color: #660000; font-size: large;"><b>Study As If To Teach</b></span></u></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: left;">
Another way to get more value out of your certification attempt is to make some small tweaks to the way you study. A few years back, my study methods were basically reading, flash-cards, and doing quick hands-on run through anything related to command syntax or specific tools. This approach is more than enough to pass a great number of IT/IS certification exams; however while studying this way I felt that I really was merely getting competent and not really getting a deep understanding of some areas. Then I came across some advice in a book about reading everything as if you <u>had to</u> teach it at the end of the week. This single tweak in perspective applied to my weekly reading made huge differences to my retention of knowledge.<br />
<br />
High caliber educators have known this for a long time. The best way to learn anything is to prepare to teach it. As you go through your certification process, think about how you would teach the material that you are studying. Also, think about how you would explain it to someone who doesn't have a technical background. Einstein had a great quote about this:<span style="background-color: white;"> <span style="font-family: inherit;">"<span style="color: #400000;">You do not really understand something unless you can explain it to your grandmother."</span></span></span><br />
<br />
Give it a try and see how it works for you. If you internalize information thinking about how you would teach it then you will see amazing improvements in your depth of understanding. Even better, you might even actually look for groups and opportunities to actually teach the material to others.<br />
<br /></div>
<div style="text-align: left;">
<u><span style="color: #660000; font-size: large;"><b>Have A Knowledge Maintenance Plan</b></span></u></div>
<div style="text-align: left;">
This one is a bit of hard truth, but for many people the knowledge they gain in their certification process will be eroded to some extent after six months. Fast forward a few years and the knowledge attrition will be even greater. <b><u>Knowledge is a use it or lose it game.</u> (</b>Remember those foreign language classes you took in high-school?) <br />
<br />
To prevent losing the time and effort we expended in building new knowledge, we have to make sure that have a plan for sustaining it AND adding to it long after your exam is over. If you are committing yourself to be both a knowledgeable and skilled professional then you are never done both learning and reinforcing what you have learned. <b>Do not make the mistake of thinking that after you are done with studying once a a certification is over.</b> I have never met a highly qualified professional who didn't in addition to his/her daily work in the office also have a home-lab or project that they were working on the side. I personally try to spend at least 30 minutes to one hour (if I'm lucky) practicing a new skill or reviewing things I've learned in the past. It's a hard commitment to keep especially when things get busy, but a critical one if you are going to work in any field that deals with technology.<br />
<br />
The basic maintenance tasks of reviewing what you have already learned can be greatly aided by building a system based around the learning technique of <a href="https://en.wikipedia.org/wiki/Spaced_repetition" target="_blank">spaced repetition</a>. The basic idea of space repetition is that if you need to retain a large amount of material over an indefinite time-span then the best way to do this is periodically revisit material over a long time period. A great tool for accomplishing this is <a href="http://ankisrs.net/" target="_blank">Anki</a> which is an open-source flash card program that works on a variety of platforms including mobile devs running IOS & Android. I really can't say enough about this program. I now use it for maintaining knowledge bases for almost everything professional and personal that I am actively learning and developing knowledge and skill in.<br />
<br />
To get a better idea of what Anki can do, check out the cool presentation below by Roger Craig who holds the all-time record for single day winnings on jeopardy. In this video he discusses his study strategy and how he uses Anki to execute it and measure his progress.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<iframe allowfullscreen="" frameborder="0" height="300" mozallowfullscreen="" src="http://player.vimeo.com/video/48070812?title=0&byline=0&portrait=0" webkitallowfullscreen="" width="400"></iframe>
</div>
<div>
<span style="text-align: right;"><br /></span><span style="color: #660000; font-size: large;"><b><u><br /></u></b></span><br />
<span style="color: #660000; font-size: large;"><b><u>Actually Use Your Knowledge </u></b></span><br />
<span style="text-align: right;">Last but not least, you can't forget that the best way to maintain your knowledge is to use it! No multiple-choice test or can ever measure your ability do something innovative, useful, and possibly even productive with your knowledge. Nothing beats experience. Nothing. Accept no substitutes; even if they do offer you an attractive piece of paper to hang on the wall. :-) </span><br />
<span style="text-align: right;"><br /></span>
<u><span style="color: #660000; font-size: large;"><b>Ideas/Further Reading?</b></span></u><br />
<span style="text-align: right;">Do you have methods you've developed for getting the most value from your certification attempts? I'd love to hear about it. </span><br />
<span style="text-align: right;"><br /></span>
<span style="text-align: right;"><span style="font-family: inherit;"><a href="http://ankisrs.net/" target="_blank">Anki</a> (High recommend. Great tool for managing your personal KB through spaced repetition).</span></span><br />
<h1 style="background-color: white; border-bottom-color: rgb(128, 128, 128); border-bottom-style: dashed; border-bottom-width: 1px; margin: 0px;">
<span style="font-family: inherit; font-size: small;"><a href="http://daveshackleford.com/?p=838" target="_blank">Your CISSP is Worthless - So Now What?</a> (<span style="font-weight: normal;">Good post + points by</span> <a href="http://daveshackleford.com/" target="_blank">Dave Shackleford</a>)</span></h1>
<span style="font-family: inherit;"><a href="http://blogs.computerworld.com/17799/why_certify" target="_blank">The real value of IT certifications: Education</a> (Nice article by <a href="http://blogs.computerworld.com/user/don-r-crawley" rel="author" style="background-color: white; border: 0px; color: #54a4de; font-weight: bold; margin: 0px; outline: 0px; padding: 0px;">Don R. Crawley</a>)</span><br />
<br /></div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-114124230733856093.post-89868396489541993722013-07-16T07:33:00.004-07:002013-07-23T06:35:59.243-07:00Three Reasons Why WEP Still Matters<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3SXlwvdAhnYpcuhXE6euTiyvORKgxFzpWTvGjI1uVts2xpmK7mOb7eABCs-N6rXsvKfz4MyWBbqnpx6KW-iqM85x_zu4dgHpTdeZBPeovGiVkJCOBzN7Ro5FW9TipSWhtvmrOVjxDWW5D/s1600/wep_zombies.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3SXlwvdAhnYpcuhXE6euTiyvORKgxFzpWTvGjI1uVts2xpmK7mOb7eABCs-N6rXsvKfz4MyWBbqnpx6KW-iqM85x_zu4dgHpTdeZBPeovGiVkJCOBzN7Ro5FW9TipSWhtvmrOVjxDWW5D/s1600/wep_zombies.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3SXlwvdAhnYpcuhXE6euTiyvORKgxFzpWTvGjI1uVts2xpmK7mOb7eABCs-N6rXsvKfz4MyWBbqnpx6KW-iqM85x_zu4dgHpTdeZBPeovGiVkJCOBzN7Ro5FW9TipSWhtvmrOVjxDWW5D/s1600/wep_zombies.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a></div>
<h4>
</h4>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3SXlwvdAhnYpcuhXE6euTiyvORKgxFzpWTvGjI1uVts2xpmK7mOb7eABCs-N6rXsvKfz4MyWBbqnpx6KW-iqM85x_zu4dgHpTdeZBPeovGiVkJCOBzN7Ro5FW9TipSWhtvmrOVjxDWW5D/s1600/wep_zombies.jpg" imageanchor="1" style="clear: right; float: right; font-weight: bold; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3SXlwvdAhnYpcuhXE6euTiyvORKgxFzpWTvGjI1uVts2xpmK7mOb7eABCs-N6rXsvKfz4MyWBbqnpx6KW-iqM85x_zu4dgHpTdeZBPeovGiVkJCOBzN7Ro5FW9TipSWhtvmrOVjxDWW5D/s1600/wep_zombies.jpg" width="276" /></a><br />
In information security, we often spend a significant amount of time focusing on the latest vulnerabilities and attacks. Our drive to find new things to worry about is often influenced by subjects that we don't prefer as much -- old security issues. The fact that so many "old" security problems are still relevant is often a source of professional chagrin. However painful it may be, it is important to periodically revisit long standing issues that still hound us. If we are going to make progress and meaningfully grapple with contemporary challenges, then we have to truly learn from the failures of the past. <b>WEP</b> represents one security failure that we can't afford to forget.<br />
<br />
<b><u><span style="color: #660000;">Brief History of WEP</span></u></b><br />
WEP, or <a href="https://en.wikipedia.org/wiki/Wired_Equivalent_Privacy" target="_blank">Wired Equivalent Privacy</a>, is a WiFI security algorithm that was bundled into the original 802.11 standard back in "ancient times" (1999) and developed by a group of <a href="https://www.ieee.org/index.html" target="_blank">IEEE </a>volunteers. The aim of WEP was to provide confidentiality to wireless transmissions (shared medium) that would be similar to wired switched connections. Almost immediately after WEP's introduction, <a href="http://www.cse.sc.edu/~wyxu/719Spring12/papers/JesseWalkerWEP.doc" target="_blank">serious security flaws</a> were uncovered along with increasingly sophisticated methods for exploiting these weaknesses. However, the final death-blow for WEP should have come in 2007 when researchers in Germany <a href="http://eprint.iacr.org/2007/120.pdf" target="_blank">demonstrated methods which allowed recovery of WEP keys in record time</a>. ("Gone In 60 Seconds").<br />
<br />
The fact that WEP is irrevocably broken is of course only a small part of the story. For many years now, the battle to eradicate WEP has raged on and taken many fronts. One primary front has been education -- if you've taken any security or network courses , you've certainly had it drilled into you by your instructors that WEP is bad (if they didn't explain exactly why, then check out video at bottom of post). Another major effort to outlaw WEP was made via compliance -- PCI-DSS v1.2 (introduced in 2008) made WEP explicitly prohibited for use in merchant card-holder environments. The latest major push is being made through equipment phase-out -- the WiFi Alliance announced in 2010 that WiFi certified equipment should deprecate all WEP functionality by this year (2013).<br />
<br />
Even with all the effort spent to make WEP a bad memory of the past, the sad truth is that WEP remains a very important issue for three reasons:<br />
<br />
<b><u><span style="color: #660000;">Reason #1. WEP Isn't Dead (Legacy Tech Zombies On)</span></u></b><br />
The sad truth is that WEP is still very much alive. Evidence to this point can be found on<a href="https://wigle.net/" target="_blank"> WIGLE</a>, a site where individuals submit both the location and properties of wireless networks from around the world. <span style="text-align: center;">At the close of 2012, WIGLE statistics show that WEP encrypted access points still made up ~ 18.8% of all wireless networks observed to date. So, 1 in 5 wireless networks globally may still be using a fundamentally flawed encryption solution (see stats below).</span><br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0yCI7BuSpJeHYNZTAKePtzGtlAhT2Z-pabmpZONbXm8uCTcKmsb0Oa3sbOQWWxLMuyaFoa_K8p81NJ9bUoS2W_tUrZs7qN9gdkGCbdBhxN2i63fXHl-wNgwcyGhPifgN3mFpfNBmKznw/s1600/331600.gif" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0yCI7BuSpJeHYNZTAKePtzGtlAhT2Z-pabmpZONbXm8uCTcKmsb0Oa3sbOQWWxLMuyaFoa_K8p81NJ9bUoS2W_tUrZs7qN9gdkGCbdBhxN2i63fXHl-wNgwcyGhPifgN3mFpfNBmKznw/s1600/331600.gif" height="200" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Legacy Tech Doesn't Die Easily </b></td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1F17NHf3Rn4UvOcH6Fu8u3ATqMtDMLCglrnF-kOLwbzrr4GSTWRQihNliIRXq9tQnRfNY4PRgp4ZFh6Vgy2MV15jxoQT3GdxB80wGUWoMWVXWdBqsP7W7721_uI3Emk79COrPyrPkUas/s1600/wifi_stats.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto; text-align: center;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1F17NHf3Rn4UvOcH6Fu8u3ATqMtDMLCglrnF-kOLwbzrr4GSTWRQihNliIRXq9tQnRfNY4PRgp4ZFh6Vgy2MV15jxoQT3GdxB80wGUWoMWVXWdBqsP7W7721_uI3Emk79COrPyrPkUas/s1600/wifi_stats.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Source: WIGLE Wireless Stats</td></tr>
</tbody></table>
It is astounding to consider that nearly 20% of all wireless access points are susceptible to easily performed attacks (of course 25% observed by "WIGLERs" employed no crypto at all.). <br />
<br />
We know of course that both people and business often don't upgrade or reconfigure technology that continues to function even when cognizant of the risks (i.e <a href="http://www.bestsecuritytips.com/news+article.storyid+226.htm" target="_blank">TJMaxx breach</a>). For this reason, WEP remains a "live" vulnerability in a very real sense. However more fundamentally, the "long life" of flawed or outdated security methods should give us all a reason for pause. (<a href="http://www.thoughtcrime.org/blog/ssl-and-the-future-of-authenticity/" target="_blank">SSL + CAs</a> anyone?).<br />
<br />
<br />
<b><u><span style="color: #660000;">Reason #2. WEP Reminds Us That Security Review Is Essential </span></u></b><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkSg6WS9T5hqIkkTXv_hBlkt1JEKAyJAfhERsgQHoCfbXKZ_6OqHphBY3qtUXbhhw8xD8Tkqi6RXWDGC-KcPx042Z75hV0CNaMRI73Ok6POCTINlkeUsgEOt9BTVq3gttrOXDfxNCdLAg/s1600/download.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkSg6WS9T5hqIkkTXv_hBlkt1JEKAyJAfhERsgQHoCfbXKZ_6OqHphBY3qtUXbhhw8xD8Tkqi6RXWDGC-KcPx042Z75hV0CNaMRI73Ok6POCTINlkeUsgEOt9BTVq3gttrOXDfxNCdLAg/s1600/download.jpg" height="150" width="200" /></a>While we often talk about the flaws in WEP in terms of misuse of cryptographic primitives, we often don't talk about the core issue that led to this. It is held by many that the real root cause for WEP flaws was the <b>lack of peer review </b>(esp. by cryptographers)<b> </b>which allowed the IEEE engineers to get so far down the road without spotting significant design flaws.<br />
<br />
The lack of effective security review still remains a major issue that shows up over and over again. One illustrative example of this that delights some and pains others, is the history of failure of DRM technologies that were incubated in relatively isolation. (i.e. <a href="http://www.zdnet.com/blog/hardware/aacs-busted/256" target="_blank">defeat of AACS</a>). In all cases with major system design, if security issues are missed early on in a design stage, then the cost of addressing these issues downstream through retroactive engineering is often so expensive that companies often don't even bother.<br />
<br />
On the IT end of this issue, when is the last time you heard a vendor tell you not to worry about the security of their product because "it's encrypted"? The lesson of WEP should also have taught us that even if vendors do use strong encryption algorithms that implementation flaws in other areas (i.e. PRNG, key management, etc) can seriously cripple or invalidate the security of the whole system. For this reason, the response to "it's encrypted" needs to be a number of questions that few actually ever ask. One of these questions should be how exactly does the company approach solution/code review to prevent missing serious issues? The i<a href="https://www.owasp.org/index.php/Security_Code_Review_in_the_SDLC" target="_blank">ntegration of security code review </a>(particularly by third-parties) into software design processes can yield highly cost-effective identification and remediation of security issues early in the project pipeline. However, many companies still do not have mature development processes that help reduce the risk of myopic omissions via effective independent security testing and review.<br />
<br />
<div style="text-align: center;">
<br /></div>
<b><u><span style="color: #660000;">Reason #3. Hacking WEP Should Be Basic Skill For IS Pros</span></u></b><br />
Ever had to introduce yourself at a party and explain what you do for a living? If you said something<br />
about "information security"or the like, you might have gotten a a response like "oh, so you break into computers for a living".<br />
<br />
Even if your IS-related job has nothing to do with breaking into computers for a living, I'd suggest that you still develop and maintain ability to demonstrate the impact of ignoring common security flaws. The adage holds true that seeing is believing, but sadly many IS professionals lack training to demonstrate even simple hacks. One of the reasons that WEP is still alive is there are no doubt still many misguided souls who believe that WEP is "secure enough". This statement most often reveals a lack of understanding about how trivial it is to defeat most WEP implementations or false assumption that no-one would bother attacking their WLAN. Dislodging these viewpoints is often easily done by demonstrating (with permission of course) how easy it really is to slice through bad security. <br />
<br />
If you've never cracked WEP before, the <a href="http://www.aircrack-ng.org/doku.php?id=simple_wep_crack" target="_blank">Aircrack-ng simple wep cracking tutorial </a>is a great place to start. Also, check out the video below on structural weaknesses in WEP protocol to understand how these attacks work beneath the hood.<br />
<div style="font-size: 13px; font-weight: bold; text-align: right;">
<br /></div>
<div style="text-align: center;">
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/4FNRb23TML0?feature=player_embedded' frameborder='0'></iframe></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<br />
<span style="background-color: #f8f8f8;"></span></div>
<div>
<div>
<div>
<span style="color: #660000;"><b><u></u></b></span><br />
<u><span style="color: #660000;"><b>Ideas?/Further Reading</b></span></u></div>
<div>
<b><u></u></b>What are some other "old security" problems that are still with us and worthy of attention? I'd love to hear your thoughts.<br />
<br /></div>
<div>
<b><a href="https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CC8QFjAA&url=http%3A%2F%2Fwww.cse.sc.edu%2F~wyxu%2F719Spring12%2Fpapers%2FJesseWalkerWEP.doc&ei=4FHkUd-AEPe54AOd6oDYBw&usg=AFQjCNFKkZg6fP7HhngpMFG06F9ZstrvFA&sig2=0y3dlHCWTULJILkXdnIzFw&bvm=bv.48705608,d.dmg" style="text-decoration: underline;" target="_blank">Unsafe At Any Key Size by Dr. Jesse Walker</a> (Seminal paper on WEP weaknesses)</b></div>
<div>
<h3 class="r" style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: medium; font-weight: normal; margin: 0px; overflow: hidden; padding: 0px; text-overflow: ellipsis; white-space: nowrap;">
<span style="background-color: transparent;"></span><br /><span style="background-color: transparent;"></span></h3>
<div>
<span style="background-color: transparent;"><a href="http://standards.ieee.org/about/get/802/802.11.html" target="_blank">IEEE 802.11 Standards</a></span></div>
<div>
<br /></div>
</div>
</div>
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-114124230733856093.post-51282867010969938682013-05-30T12:27:00.000-07:002013-06-24T06:49:05.986-07:00Errorists' Empire - Exploring Typo Networks<div style="text-align: right;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHrgBL71q-OB0ZR8T_7p6KO5E_FbWQKIYIEACzCJhvjf-Dj8fJez7puc6vxxhHCSWhb_Xzw1I-ufzp3nNoqUIvBnnWVvL3k1Qc4akF2sGeBgFAOL9m9TpuRiKEU5PbxXcSoaOGGYsU8Yw/s1600/Screen+Shot+2013-02-26+at+9.18.48+AM.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em; text-align: center;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHrgBL71q-OB0ZR8T_7p6KO5E_FbWQKIYIEACzCJhvjf-Dj8fJez7puc6vxxhHCSWhb_Xzw1I-ufzp3nNoqUIvBnnWVvL3k1Qc4akF2sGeBgFAOL9m9TpuRiKEU5PbxXcSoaOGGYsU8Yw/s1600/Screen+Shot+2013-02-26+at+9.18.48+AM.jpg" height="174" width="320" /></a></div>
<div style="text-align: left;">
Have you ever mistyped a web-address? Of course you have and you are not alone. Every day a vast amount <span style="text-align: center;">of web requests are sent to typo addresses - close cousins of normal major web-site save for one or two characters. </span><span style="text-align: center;">When you consider the amount of traffic that typo-sites can receive it is easy to understand why these domains are so valuable. For years, "<a href="https://en.wikipedia.org/wiki/Typosquatting" target="_blank">Typosquatters</a>" have been reaping the value from bad typing using inventive means to generate revenue. </span></div>
<br />
<b><span style="color: #660000;">However, what is interesting is that a significant number of typo-sites can be observed using identifical methods to mislead users into installing a common set of binaries onto PCs (more below). </span></b><br />
<br />
During this review, I found over 341 significant typo-sites using related tactics, hosting resources, and executables; These sites included numerous typo variations that easily receive traffic for intended major sites like: <b>Blogspot, Craigslist, Foxsports, Google, Gmail, Hotmail, Linkedin, Nationgeographic.com, Sourceforge.net, UN.org</b><br />
<br />
A more comprehensive list of these typo-sites can be found on <a href="http://pastebin.com/wGc7vSaa" target="_blank">pastebin</a> for those interested.<br />
<br />
<span style="font-family: inherit;"><span style="line-height: 20px;">Looking at some of these address names, it doesn't take a great deal of imagination to realize that the operators behind this are delivering binaries to a large number of systems daily. </span></span><br />
<span style="font-family: inherit;"><br /></span><span style="line-height: 20px;"><span style="font-family: inherit;"><u><b>This leads us to some interesting questions</b></u></span></span><br />
<ul>
<li>What are the methods used by this group?</li>
<li>What is the monetization process driving these efforts?</li>
<li>What parties are involved in this activity?</li>
</ul>
<b>To start our investigation, let's take a look at what has to probably be one of the most successful typo sites of all time: GMAI.COM.</b><br />
<u><span style="color: #660000;"><b><br /></b></span></u>
<u><span style="color: #660000; font-size: large;"><b>Link Analysis (GMAI.COM)</b></span></u><br />
<span style="font-family: inherit;">Around 5/30/2013, if you happened to miss the "L" in GMAIL.com </span><span style="font-family: inherit;">you'd start your way down a link-path that goes something like this:</span><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdHmBuwzvIyl9UWtnieS_Ztk7ku1F6eP5wxaLu8cJLb715NrrzsiLuPRuvaTfI31cl68KlDgLaN7yWy3VYjX7T5KNYGuriNkmZzEWzuGt2eKkX3ccaYUmOttLZJTru11IFQZr-8Nn1jQk/s1600/gmai.com.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdHmBuwzvIyl9UWtnieS_Ztk7ku1F6eP5wxaLu8cJLb715NrrzsiLuPRuvaTfI31cl68KlDgLaN7yWy3VYjX7T5KNYGuriNkmZzEWzuGt2eKkX3ccaYUmOttLZJTru11IFQZr-8Nn1jQk/s1600/gmai.com.jpg" height="29" width="320" /></a><br />
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
- To start off with, <b>gmai.com</b> -( <b>208.87.34.65 </b>Securehost/Bahamas - <a href="https://www.virustotal.com/en/ip-address/208.87.34.65/information/" target="_blank">virustotal</a>) serves us a <a href="http://en.wikipedia.org/wiki/HTTP_302" target="_blank">302 redirection bounce</a> in the initial HTTP response and we get passed to an interesting web-site "<b>global-adsopt.com</b>" (<b>184.170.128.81</b> / Netelligent Canada) which provides persistent URL redirection/cloaking service:<br />
<div>
<span style="font-family: inherit; font-size: x-small;"><b> <span style="color: red;">http://global-adsopt.com/?sov=gmai.com&</span></b></span></div>
<div>
<span style="font-family: inherit; font-size: x-small;"><b><span style="color: red;"><br /></span></b></span></div>
<div>
<span style="font-size: x-small;"><b> Example of web-redirection service </b></span><br />
<span style="font-size: x-small;"><b> <u>(same services also found on geoparker.com // 128.204.198.87)</u></b></span></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvlzFEnM3USYiEBEKEswRgPzhKRafuKy3kcrj-ki1J2YdmnPnSg6qbfO-TI80N5glOJWxLU6VQlE9iI6XxP1VaNWuwosJKV99qk5McpddS8RYe1UKbREzhzE2OqQhQUwYKw65aMTLadLg/s1600/redirect.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvlzFEnM3USYiEBEKEswRgPzhKRafuKy3kcrj-ki1J2YdmnPnSg6qbfO-TI80N5glOJWxLU6VQlE9iI6XxP1VaNWuwosJKV99qk5McpddS8RYe1UKbREzhzE2OqQhQUwYKw65aMTLadLg/s1600/redirect.jpg" height="216" width="320" /></a></div>
<div>
<ul>
</ul>
- This redirection service hands us a java-script redirect to:<br />
<span style="color: red;"><b> </b></span><span style="color: red; font-family: 'Courier New', Courier, monospace;"><span style="font-size: x-small;"><b>http://super-saving.glidehomes.com/sid=173652&hid=fphpfflxjtvhpn&&id=cGiveaways</b>2</span></span><br />
<ul>
</ul>
<div>
<span style="font-family: inherit;">The <b>super-saving.glidehomes.com</b> site is on <a href="http://en.wikipedia.org/wiki/Round-robin_DNS" target="_blank">round-robin DNS</a> with the IPs: <b>75.101.216.99</b> (Amazon EC2/US - <a href="http://urlquery.net/report.php?id=2745576" target="_blank">urlquery</a>, <a href="https://www.virustotal.com/en/ip-address/75.101.216.99/information/" target="_blank">virustotal</a>), <b>23.20.106.130</b> (Amazon EC2/US - <a href="http://urlquery.net/report.php?id=2745903" target="_blank">urlquery</a>, <a href="https://www.virustotal.com/en/ip-address/23.20.106.130/information/" target="_blank">virustotal</a>), and <b>208.87.34.21</b> (Securehost/Bahamas . <a href="http://urlquery.net/report.php?id=2745991" target="_blank">urlquery</a>,<a href="https://www.virustotal.com/en/ip-address/208.87.34.21/information/" target="_blank">virustotal</a>) .</span><br />
<span style="font-family: inherit;"><br /></span><span style="font-family: inherit;">After reaching this final destination, the site gives us a nice warning and notice that we are<b> required</b> to upgrade to "Adobe Flash 11.0" to proceed. </span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_VOvITkQv_wo6WWS2wQBjnJ2cpLScKfA0TXyfi95oLnvOXlQNXo_f8Q0xfM6TXnxWGuWji3KzJWXkLhuodJpqidCFMLWytzmZ0nc1mDxYl-oBCRnzQpUJjqcKf7X8iCEcT9ddXW4QTwc/s1600/warning.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_VOvITkQv_wo6WWS2wQBjnJ2cpLScKfA0TXyfi95oLnvOXlQNXo_f8Q0xfM6TXnxWGuWji3KzJWXkLhuodJpqidCFMLWytzmZ0nc1mDxYl-oBCRnzQpUJjqcKf7X8iCEcT9ddXW4QTwc/s1600/warning.jpg" height="137" width="400" /></a></div>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9dZyTWqUdZkj3AG3jDNsTHaOa9LTro55_s3_OFBH8ZAZVnSjvYF1Pd4bS0QC2pq8gMOdB-K-04j4MkmXWF5d-s7sQOVh-7e7BzKPdjnx-pEC-yoUNZwJ-x3s2x3C0ZpKPrGDn90pEQiI/s1600/glidehomes.com.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9dZyTWqUdZkj3AG3jDNsTHaOa9LTro55_s3_OFBH8ZAZVnSjvYF1Pd4bS0QC2pq8gMOdB-K-04j4MkmXWF5d-s7sQOVh-7e7BzKPdjnx-pEC-yoUNZwJ-x3s2x3C0ZpKPrGDn90pEQiI/s1600/glidehomes.com.jpg" height="385" width="640" /></a></div>
<span style="font-family: inherit;"><br /></span><span style="font-family: inherit;">This page page also sports some noteworthy disclaimer language; the basic gist of this is that you are going to be provided with <b>"customer installer"</b> which is different from what you were likely expecting.<span id="goog_1419530547"></span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdyyrG89_binCcXJmP9qxa7iRqh_p5TkWQwCR76NbYOiv9QfIweKEAxhO-9az_2bSkOaYriQtJX1MdMnFwh2ciEqctEYP9zIrwK_0WM7_eAQNGDptIfiTUGWQvaGOFXTkmIKQmcDmmNK0/s1600/disclaimer.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdyyrG89_binCcXJmP9qxa7iRqh_p5TkWQwCR76NbYOiv9QfIweKEAxhO-9az_2bSkOaYriQtJX1MdMnFwh2ciEqctEYP9zIrwK_0WM7_eAQNGDptIfiTUGWQvaGOFXTkmIKQmcDmmNK0/s1600/disclaimer.jpg" height="172" width="640" /></a></div>
<br />
<span style="font-family: inherit;">At this point, pretty much anything we click on here serves us up a binary; however the specific file we receive varies probably on factors like which server we hit and our user agent string.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Since they very much want us to take these executables, let's do that and see what we can learn:</span><br />
<br />
<u><span style="color: #660000; font-size: large;"><b>Binary Review</b></span></u><br />
<b id="docs-internal-guid-7e330a9e-f888-1880-1f99-64a8e972a1eb" style="font-weight: normal;">Listed below is information on three binaries that I obtained on different loads of the super-saving.glidehomes.com site: </b><br />
<div dir="ltr">
<b id="docs-internal-guid-7e330a9e-5cec-e89c-a089-0c6b5c70cb4e" style="font-weight: normal;"><span style="color: red; font-family: Arial; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"></span></b><br />
<div dir="ltr">
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="172"></col><col width="153"></col><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: #073763; border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: white; font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Binary Name</span></div>
</td><td style="background-color: #073763; border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: white; font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Analysis Links</span></div>
</td><td style="background-color: #073763; border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: white; font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Code - Signed</span></div>
</td></tr>
<tr style="height: 0px;"><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: Verdana, sans-serif;">setup.exe</span></span></div>
</td><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<a href="http://anubis.iseclab.org/?action=result&task_id=1000b25685455df44b1b24c9dcf0a4669&call=first" style="text-decoration: none;" target="_blank"><span style="color: #1155cc; font-family: Arial; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Anubis</span></a><span style="color: red; font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<a href="https://malwr.com/analysis/NWExNTQyZmM3OGUxNDgzMGI4YmRkOTdhZmUxNTE1MDA/" style="text-decoration: none;" target="_blank"><span style="color: #1155cc; font-family: Arial; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Malwr</span></a><span style="color: red; font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<a href="https://www.virustotal.com/en/file/c6e0074ded983b7331d6acfdae4deef7f89dd721cf5b6cf53191222331d4ea1a/analysis/1369941732/" style="text-decoration: none;" target="_blank"><span style="color: #1155cc; font-family: Arial; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">VirusTotal 5/46</span></a><span style="color: red; font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></div>
</td><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: white; font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> Air Software</span><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></div>
</td></tr>
<tr style="height: 0px;"><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: white; font-family: Verdana; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">mplayer_Setup.exe</span><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></div>
</td><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<a href="http://anubis.iseclab.org/?action=result&task_id=1586f1ca4a8807a34ddac73e327b1b16d&format=html" style="text-decoration: none;" target="_blank"><span style="color: #1155cc; font-family: Arial; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Anubis</span></a><span style="color: red; font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<a href="https://malwr.com/analysis/OWQyZTYyNDE5ZjRmNGNkODk5NjA0ZTQxZDYxY2RlZTY/" style="text-decoration: none;" target="_blank"><span style="color: #1155cc; font-family: Arial; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Malwr</span></a><span style="color: red; font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<a href="https://www.virustotal.com/en/file/e269a8433e0c6187b18eedd703feb7ba674f70ccd266fe95d141279fe21b54f1/analysis/" style="text-decoration: none;" target="_blank"><span style="color: #1155cc; font-family: Arial; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">VirusTotal 6/47</span></a><span style="color: red; font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></div>
</td><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: white; font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Optimum Installer</span><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></div>
</td></tr>
<tr style="height: 0px;"><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: white; font-family: Verdana; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">“ExtremeFlashPlayer_Ytz Installer.exe”</span></div>
</td><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="color: #1155cc; font-family: Arial; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Anubis</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="color: #1155cc; font-family: Arial; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Malwr</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<a href="https://www.virustotal.com/en/file/a6d0e40eb6cd8388f0e1d4a5b6a43a2599112357c73068113af998748ff939c9/analysis/1369972990/" style="text-decoration: none;" target="_blank"><span style="color: #1155cc; font-family: Arial; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">VirusTotal</span></a><span style="color: #1155cc; font-family: Arial; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"> 8/47</span></div>
</td><td style="border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Denco Ltd.</span></div>
</td></tr>
</tbody></table>
</div>
<b id="docs-internal-guid-7e330a9e-5cec-e89c-a089-0c6b5c70cb4e" style="font-weight: normal;"><br /><span style="color: red; font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></b>
<b id="docs-internal-guid-7e330a9e-fc7c-af05-7103-4ea125e6720c"><b id="docs-internal-guid-7e330a9e-fc86-c932-ce3c-223b0a35a22a"><u>
Though these EXEs are served from different sites, they share a great deal in common:</u></b></b></div>
<ul>
<li>Each is pushed via a Pay-Per-Install Provider framework (more on this below).</li>
<li>Only a handful of AV engines detect them; those that do categorize them as adware/spyware or potentially unwanted programs (PUPs).</li>
<li>Each of the binaries is code signed (Versign class 3).</li>
<li>Each makes a common series of registry changes used to significantly downgrade the security setting of Internet Explorer.</li>
</ul>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibtPdmFqe9nsP06Ix3g1nrIMEq4zxX-2jtJU-RCI19pzVjrW6Ej4yV_wxx8nNTJGoDVUCVK9blO70bugxlFiF9J-5KK5ImsbOZVXwRjHGQPoHAbLwqAYaV1vZK6C8tauxn9-V76_hIAaM/s1600/download.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em; text-align: center;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibtPdmFqe9nsP06Ix3g1nrIMEq4zxX-2jtJU-RCI19pzVjrW6Ej4yV_wxx8nNTJGoDVUCVK9blO70bugxlFiF9J-5KK5ImsbOZVXwRjHGQPoHAbLwqAYaV1vZK6C8tauxn9-V76_hIAaM/s1600/download.jpg" height="151" width="200" /></a><span style="color: #660000; font-size: large;"><b><u>Pay-Per Install Economy</u></b></span><br />
From the binaries we pulled (see above), we can see evidence that these typo sites are being used as vast <b>"install funnel"</b> for driving a pay-per-install profit chain.<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
The overall PPI economy has distinctive roles that we can map to what we have seen so far in our review.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8vwD7ajQYLmIVWjfKxZ__3kDA0Ef1ebrt-5WzF_KnGnfbrNxBIhtujHBsW_ynh0EpMunDFA1Qphvpyh7zcAfIoFRaO2rxiskwixPvdIcZGqs72uny-rUH6CpEUsLxuvt7iSIbqSeujDI/s1600/roles.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8vwD7ajQYLmIVWjfKxZ__3kDA0Ef1ebrt-5WzF_KnGnfbrNxBIhtujHBsW_ynh0EpMunDFA1Qphvpyh7zcAfIoFRaO2rxiskwixPvdIcZGqs72uny-rUH6CpEUsLxuvt7iSIbqSeujDI/s1600/roles.jpg" height="187" width="640" /></a></div>
While initiation of the the chain starts with the typo-squatter install funnel, the money actually flows from the "application providers" back up the chain. <br />
<br />
The application providers buy access into the PPI provider's affiliate network and use of their installation framework. In many cases their purchase can be specific to a region for the installation and an install target number (i.e. 1000 S. American PCs). Additionally, the PPI provider also frequently offers free software that is bundled/bound with the app. providers own code. In turn, the PPI providers issue payment to our typosquatters who can drive vast amounts of traffic and downloads to catalyze the overall chain.<br />
<br />
For the end-user who was tricked into installing the PPI installer software, there really is no good outcome. At best, they may have some adware or spyware that mucks things up a bit and of course they had no intention of installing to start with. However at worse, <a href="http://www.technologyreview.com/view/417354/get-paid-to-install-malware/" target="_blank">malware authors have also for many years leveraged PPI networks</a> as quick ways to build/grow their botnet. <br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibtPdmFqe9nsP06Ix3g1nrIMEq4zxX-2jtJU-RCI19pzVjrW6Ej4yV_wxx8nNTJGoDVUCVK9blO70bugxlFiF9J-5KK5ImsbOZVXwRjHGQPoHAbLwqAYaV1vZK6C8tauxn9-V76_hIAaM/s1600/download.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em; text-align: center;"><br /></a>
<br />
<br />
<span style="color: #660000; font-size: large;"><b><u><br /></u></b></span><span style="color: #660000; font-size: large;"><b><u>Who Is Involved In This?</u></b></span><br />
It is easy to spot the PPI provider companies whose installers are getting used as well many companies whose adware/spyware is piggy-backing on these initial installs. However, it is considerably harder (and therefore more interesting) to look at who may be behind all of the large number of typo domains that are being used to form the install funnel. One reason these companies are harder to find is that their litigation risks are quite significant due to claims of trademark infringement in addition to <a href="http://www.icann.org/en/help/dndr/udrp" target="_blank">formal domain name disputes</a>. Also a significant measure of their value to the PPI chain is their resilience to disruption or take-down attempts.<br />
<br />
To dig a little deeper, we can turn to <a href="http://www.paterva.com/web6/products/maltego.php" target="_blank">Maltego</a> for some help with quick OSINT (<a href="https://docs.google.com/file/d/0Bxi9naEYPVPIX0hudTYybEc0NXc/edit?usp=sharing" target="_blank">report file here</a>).<br />
<br />
Looking at the nodes associated with the typo-domains we can find some clear relationships and trends that stand-out:<br />
<br />
<ol>
<li><b>Hosting Trends</b> - The domain use round-robin DNS between the IPs (<b>23.23.210.22</b> / Amazon EC2 - <a href="https://www.virustotal.com/en/ip-address/23.23.210.22/information/" target="_blank">virustotal</a> / <a href="http://urlquery.net/search.php?q=23.23.210.22&type=string&start=2013-06-04&end=2013-06-19&max=50" target="_blank">urlquery</a> and <b>74.86.197.160</b>/ Softlayer - <a href="https://www.virustotal.com/en/ip-address/74.86.197.160/information/" target="_blank">virustotal</a> / <a href="http://urlquery.net/search.php?q=74.86.197.160&type=string&start=2013-06-04&end=2013-06-19&max=50" target="_blank">urlquery</a> ) . Of note, the whois record for 74.86.197.160 contains a <a href="https://www.arin.net/resources/request/reassignments_rwhois.html" target="_blank">rwhois referral</a> which shows that PPX International Limited (now YTZ Management) as the organization responsible for the IP.</li>
</ol>
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">%rwhois V-1.5:003fff:00 rwhois.softlayer.com (by Network Solutions, Inc. V-1.5.9.5)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">network:Class-Name:network</span><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgx9T5sc1tJTu2NFEHcMv5XcwB5inx7JN7l8YY2jSTPJNdh-J3rZAdt2O5ee5I0K2KJeFrsGwWW4RwTDUjzF-mTVzinj_A_LJ4uiIdo2gVz7J4N2HX7k1AYCH8YtmEfsuZ51qzy-LzHiQE/s1600/interconnects.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgx9T5sc1tJTu2NFEHcMv5XcwB5inx7JN7l8YY2jSTPJNdh-J3rZAdt2O5ee5I0K2KJeFrsGwWW4RwTDUjzF-mTVzinj_A_LJ4uiIdo2gVz7J4N2HX7k1AYCH8YtmEfsuZ51qzy-LzHiQE/s1600/interconnects.jpg" height="292" width="320" /></a><span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">network:ID:NETBLK-SOFTLAYER.74.86.192.0/19</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">network:Auth-Area:74.86.192.0/19</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">network:Network-Name:SOFTLAYER-74.86.192.0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">network:IP-Network:74.86.197.160/30</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">network:IP-Network-Block:74.86.197.160-74.86.197.163</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"><b>network:Organization;I:PPX International Limited</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">network:Street-Address:250 Lytton Blvd</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">network:City:Toronto</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">network:State:ON</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">network:Postal-Code:M5N1R6</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">network:Country-Code:CA</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">network:Tech-Contact;I:sysadmins@softlayer.com</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">network:Abuse-Contact;I:chad.morland@ppx.com</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">network:Admin-Contact;I:IPADM258-ARIN</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">network:Created:2010-11-19 15:00:01</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">network:Updated:2011-02-01 20:47:57</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">network:Updated-By:ipadmin@softlayer.co</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
2. <b>Registrar Trends</b> - Almost all domains use private registration and <a href="http://internet.bs/">Internet.bs</a> as the registrar.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
3. <b>DNS Trends</b> - Most domains are using <a href="http://www.domainmanager.com/" target="_blank">DomainManager</a> as the authoritative nameservers.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
If you research these three companies, you'll find they are tightly clustered together both terms of their history, investors, and leadership. These companies are backed by folks who have been in the domain business for many years. Evidence suggests that they are currently major players whose services are collectively being used to support a platform for aggregating untargetted traffic and focusing it into the PPI pipeline.</div>
<div class="separator" style="clear: both; text-align: center;">
<img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMlkSbAT8IR5M5T5Nc21OBc-j9PbN4zCGpqo1zsye78N8GbzKKjJubraA1b0AAQNikIeCN9z5lNqy1S0ZVGE4VIVvLLEofqewKQXDquT5ktyV38uzfNKUa8EDz37yk5G0mMUn0fwngpMw/s1600/ytz.jpg" height="105" width="200" /><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrlcXsjCah4ugysjdd7fpCnAsKYFgoMUK6G4LfHu4l5gbwB_K3c953cSyxvARfiUze28ssk4ORD7fVtWjLJR7XFSClMj7lMxQ_s2iaalSJn9KiYqShmrsleTuWRVt_oEDI5M9xPQV0TCA/s1600/logo.gif" /></div>
<div class="separator" style="clear: both; text-align: center;">
<img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHY19T_KymuDDqpc3hyphenhyphenOwyCqM-32ge3aWOaaLaeaS0zmwH7ahxmC-JoLblHksKqIbwuArO3cd2erMYF02uZ5bDA7qkFM7NDGTK7laPdhxAIZg2teLCUgrTeauiiqbOFxQQx2lTeWDvPGw/s1600/dmwordmark.png" /></div>
<span style="color: #660000; font-size: large;"><b><u><br /></u></b></span>
<br />
<div style="text-align: center;">
<br />
<div style="text-align: left;">
<u><span style="color: #660000; font-size: large;"><b>Conclusion</b></span></u></div>
</div>
<div class="" style="clear: both; text-align: left;">
Typo-squatters and commercial PPI companies represent themselves as being engaged in legitimate businesses. It worth noting that this legitimate business seems to require frequent adoption of techniques used to evade attempts to block or shutdown these services (off-shore bullet proof hosting, url redirection, binary packing). Irregardless of questions of legality (variance in international laws), the use of misleading tactics to trick users into installing software is far from honorable and can results in serious loss of productivity. If you've ever had to help a family member clean up after one of these installers pushed adware/spyware to a system you know just how ugly and frustrating this can be (example below).<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/qDWZx2iy3PM?feature=player_embedded' frameborder='0'></iframe></div>
<br />
More seriously however, the success of using typo sites to increase the number of systems tied to a PPI network only increases incentive for cyber-criminals to view these networks as viable delivery vehicles for widespread use. If a PPI commercial provider can offer you access to hundreds of thousands of systems in affluent regions, then you can potentially from nothing to a major botnet very quickly. Research conducted in 2011 (see some the links below) clearly demonstrated that commercial PPI installers are a common target for infiltration and use for infection.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<u><span style="color: #660000; font-size: large;"><b>Further Readings/References</b></span></u></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<h1 style="color: #ce1126; font-family: Arial, Verdana, Helvetica, sans-serif; font-weight: 400; margin: 0px 0px 2px;">
<div>
<div style="font-size: medium;">
Video of 2011 Talk:<span style="font-weight: normal;"> </span></div>
<span style="font-size: small; font-weight: normal;"><span style="font-family: Verdana, sans-serif;"><a href="https://www.usenix.org/conference/usenix-security-11/measuring-pay-install-commoditization-malware-distribution" target="_blank">Measuring Pay-per-Install: </a> </span><a href="https://www.usenix.org/conference/usenix-security-11/measuring-pay-install-commoditization-malware-distribution" target="_blank"><span style="font-family: Verdana, sans-serif;">The Commoditization of Malware Distribution</span></a></span></div>
<div style="font-size: medium; font-weight: normal;">
<span style="background-color: white; font-family: verdana, arial, geneva, helvetica; font-size: 13px; line-height: 16px;">Juan Caballero, Chris Grier, Christian Kreibich, and Vern Paxson</span><span style="background-color: white; color: #5e5e5e; font-family: verdana, arial, geneva, helvetica; font-size: 13px; line-height: 16px;"> </span></div>
</h1>
<h1 style="color: #ce1126; font-family: Arial, Verdana, Helvetica, sans-serif; font-weight: 400; margin: 0px 0px 2px;">
<a href="http://www.technologyreview.com/news/424241/most-malware-tied-to-pay-per-install-market/"><span style="font-size: small;">MIT Technlogy Review: Most Malware Tied to 'Pay-Per-Install' Market</span></a></h1>
<h1 style="color: #ce1126; font-family: Arial, Verdana, Helvetica, sans-serif; font-weight: 400; margin: 0px 0px 2px;">
<span style="font-family: inherit; font-size: small;"><a href="http://ppimoney.blogspot.com/" target="_blank">"Hacker-Howto" PPI + Malware Redistribution</a>:</span></h1>
</div>
<div>
<br /></div>
<div>
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-114124230733856093.post-77022609234517634602013-05-16T07:38:00.000-07:002013-05-16T17:19:10.575-07:00Building Password Dictionaries From Evidence Images<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUjyjto6c3zsJxBwQhkS6BPMiW3Bbedh_jqqfYgCLFHnj-aWWjHphUhvDuYsMRpMDiwxGHksM78NgMxQkUOZ5fqr8WTLjCdNbv9_2k0jaZNaqptLbwYoJdtMqnIYQ_Hvz__ybG48YnD9Y/s1600/mtyourmind.10001mb.com.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUjyjto6c3zsJxBwQhkS6BPMiW3Bbedh_jqqfYgCLFHnj-aWWjHphUhvDuYsMRpMDiwxGHksM78NgMxQkUOZ5fqr8WTLjCdNbv9_2k0jaZNaqptLbwYoJdtMqnIYQ_Hvz__ybG48YnD9Y/s1600/mtyourmind.10001mb.com.png" height="192" width="320" /></a></div>
<span style="color: #660000; font-size: large;"><u>Overview</u></span><br />
When dealing with a forensic image that contains encrypted files, our best friends are often those ever so helpful post-it notes, weak passwords, or instances of password reuse involving encoding methods that are easily defeated. However fortune doesn't always favor the forensicator, and periodically you have to look for another shortcut for recovering encrypted content.<br />
<br />
One approach that can help with this is to build a password dictionary from printable character strings contained within evidence images. The basic idea is that a user may have stored their password (or a derivation of it) somewhere on the original media or that the password might still be retained on an internal page or swap file. <br />
<br />
A reason to consider this approach is that the generation and use of a dictionary file can be achieved relatively quickly. Whereas, a brute-force attack against decently complex password > 6 chars can potentially take a <u>very long</u> time if you're up against a good cipher.<br />
<br />
My initial forays into building case-specific password dictionaries involved the Linux string command, sed, awk, grep and LOTS of pipes; The overall processing time for this method was rather slow (basically run it and go to bed). However, using the incredibly versatile <a href="https://github.com/simsong/bulk_extractor" target="_blank">bulk_extractor</a> tool by <a href="http://simson.net/" target="_blank">Dr. Simson Garfinkle</a> (available in latest update of <span style="background-color: #f8f8f8; line-height: 24px;"><span style="font-family: inherit;"><a href="https://code.google.com/p/ronin-linux/wiki/MasterList" target="_blank">RŌNIN-Linux R1</a></span></span><span style="background-color: #f8f8f8; font-family: arial; font-size: 20px; line-height: 24px;">)</span> we can generate a media-specific dictionary file fairly quickly.<br />
<br />
If you've never used bulk_extractor before then I recommend checking out its <a href="http://www.forensicswiki.org/wiki/Bulk_extractor" rel="" target="_blank">ForensikWiki entry</a>. The scope and utility of this tool is much broader than the topic of this post.<br />
<br />
Here are some quick steps on building a case dictionary file using bulk_extractor and cracklib.<br />
<br />
<u><span style="color: #660000; font-size: large;">Using Bulk_Extractor To Build Initial WordList</span></u><br />
With the command listed below: we are disabling all other scanners available in bulk_extractor (-E ) save for the wordlist scanner, we are outputting the generated wordlist in specific directory (-o), and we are designation the image to be evaluated. The default settings here will extract words between 6 to 14 characters long and this is adjustable with the -w flag.<br />
<table style="background-color: white; border-collapse: collapse; border: none; color: black; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: #434343; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: black; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><span style="color: orange; font-family: Courier New, Courier, monospace;">$ bulk_extractor -E wordlist -o /tmp/bulk_extractor/ evidence1.raw<br /><br />bulk_extractor version: 1.3.1<br />Hostname: valkyrie<br />Input file: evidence1.raw<br />Output directory: /tmp/<br />Disk Size: 120000000000<br />Threads: 2</span><br />
<span style="color: orange;">. . .</span><br />
<span style="color: orange;"></span><br />
<span style="color: orange;"><span style="font-family: Courier New, Courier, monospace;">15:46:32 Offset 119973MB (99.98%) Done in 0:00:00 at 15:46:32</span></span><br />
<span style="color: orange;"><span style="font-family: Courier New, Courier, monospace;">All Data is Read; waiting for threads to finish...</span></span><br />
<span style="color: orange;"><span style="font-family: Courier New, Courier, monospace;">All Threads Finished!</span></span><br />
<span style="color: orange;"><span style="font-family: Courier New, Courier, monospace;">Producer time spent waiting: 0 sec.</span></span><br />
<span style="color: orange;"><span style="font-family: Courier New, Courier, monospace;">Average consumer time spent waiting: 3059 sec.</span></span><br />
<span style="color: orange;"><span style="font-family: Courier New, Courier, monospace;">*******************************************</span></span><br />
<span style="color: orange;"><span style="font-family: Courier New, Courier, monospace;">** bulk_extractor is probably I/O bound. **</span></span><br />
<span style="color: orange;"><span style="font-family: Courier New, Courier, monospace;">** Run with a faster drive **</span></span><br />
<span style="color: orange;"><span style="font-family: Courier New, Courier, monospace;">** to get better performance. **</span></span><br />
<span style="color: orange;"><span style="font-family: Courier New, Courier, monospace;">*******************************************</span></span><br />
<span style="color: orange;"><span style="font-family: Courier New, Courier, monospace;">Phase 2. Shutting down scanners</span></span><br />
<span style="color: orange;"><span style="font-family: Courier New, Courier, monospace;">Phase 3. Uniquifying and recombining wordlist</span></span><br />
<span style="color: orange;"><span style="font-family: Courier New, Courier, monospace;">Phase 3. Creating Histograms</span></span><br />
<span style="color: orange;"><span style="font-family: Courier New, Courier, monospace;"> ccn histogram... ccn_track2 histogram... domain histogram...</span></span><br />
<span style="color: orange;"><span style="font-family: Courier New, Courier, monospace;"> email histogram... ether histogram... find histogram...</span></span><br />
<span style="color: orange;"><span style="font-family: Courier New, Courier, monospace;"> ip histogram... tcp histogram... telephone histogram...</span></span><br />
<span style="color: orange;"><span style="font-family: Courier New, Courier, monospace;"> url histogram... url microsoft-live... url services...</span></span><br />
<span style="color: orange;"><span style="font-family: Courier New, Courier, monospace;"> url facebook-address... url facebook-id... url searches...</span></span><br />
<span style="color: orange;"><span style="font-family: Courier New, Courier, monospace;"><br /></span></span>
<span style="color: orange;"><span style="font-family: Courier New, Courier, monospace;">Elapsed time: 3304 sec.</span></span><br />
<span style="color: orange;"><span style="font-family: Courier New, Courier, monospace;">Overall performance: 34.58 MBytes/sec.</span></span><br />
<div>
<span style="color: orange;"><br /></span></div>
</td></tr>
</tbody></table>
</td></tr>
</tbody></table>
<u>A few cool things to note about bulk_extractor scans "beneath the hood":</u><br />
<ul>
<li><span style="font-family: inherit;">The scan method employed by bulk_extractor is 100% "agnostic" concerning the actual filesystem contained within the image. We can throw any digital content at it.</span></li>
<li><span style="font-family: inherit;"> Bulk_extractor employs <span style="background-color: white; line-height: 16px;">parallelization for performance. The data read from image is split into 16M pages with one thread per core committed to processing each page.</span></span></li>
<li><span style="line-height: 16px;">Bulk_extractor is able to pick up where it left off. If we kill this process and restart, then bulk_extractor will read its last read offset from our output folder and begin there.</span></li>
</ul>
<u><span style="color: #660000; font-size: large;">Converting the Word-List to Dictionary</span></u><br />
After the run has completed, we will find a <b>wordlist_split_000.txt</b> file in our output directory.<br />
A quick evaluation of this file shows us that bulk_extractor has extracted 388,950 unique potential password strings.<br />
<table style="background-color: white; border-collapse: collapse; border: none; color: black; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: #434343; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: black; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><span style="color: orange; font-family: Courier New, Courier, monospace;">$ wc -l ./wordlist_split_000.txt </span><br />
<span style="color: orange; font-family: Courier New, Courier, monospace;">388950 wordlist_split_000.txt</span><br />
<br />
<br /></td></tr>
</tbody></table>
</td></tr>
</tbody></table>
<br />
Obviously the majority of entries contained in our wordlist_split_000.txt file are junk. If desired, we can clean this dictionary up a bit more as well as obtain some string derivations by using the cracklib utility cracklib-format:<br />
<table style="background-color: white; border-collapse: collapse; border: none; color: black; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: #434343; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: black; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><span style="color: orange; font-family: Courier New, Courier, monospace;">$ cracklib-format wordlist_split_000.txt > wordlist.crack</span><br />
<br /></td></tr>
</tbody></table>
</td></tr>
</tbody></table>
Cracklib-format performs a few filtering actions here:<br />
<div>
<ul>
<li>Lowercases all words</li>
<li>Remove Control Characters</li>
<li>Sorts Lists</li>
</ul>
<div>
Since decent password cracking tools will employ case variance we often don't lose too much with this clean-up. However, retaining the wordlist_split_000.txt file is a good idea should your password cracking tool not support this.<br />
<br />
Another option for reducing the password list to an even shorter set, is to use cracklib-check to create a list of weak passwords (short, dictionary based).</div>
<div>
<br />
<table style="background-color: white; border-collapse: collapse; border: none; color: black; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: #434343; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: black; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><span style="color: orange; font-family: Courier New, Courier, monospace;">$cat wordlist.crack |cracklib-check| egrep -v "OK"|tr ":" " "|awk {'print $1'} > wordlist.weak</span><br />
<div>
<span style="color: orange; font-family: Courier New, Courier, monospace;"><br /></span></div>
</td></tr>
</tbody></table>
</td></tr>
</tbody></table>
</div>
<div>
<u><span style="color: #660000; font-size: large;"><br /></span></u><u><span style="color: #660000; font-size: large;">Ideas? / Further Reading</span></u></div>
</div>
<div>
Do you have another tool,method, or process that you use for this? I'd love to hear about it.<br />
<br />
Here are a few other links that are useful/relevant:<br />
<ul>
<li><a href="http://sectools.org/tag/crackers/" target="_blank">List of password cracking tools.</a></li>
<li><a href="http://forensicotd.blogspot.com/2012/09/hiding-dead.html" target="_blank">Great post on automating entropy measurements for detecting potentially encrypted files</a>.</li>
<li><a href="https://www.youtube.com/watch?v=dpCNwHUpjKc" target="_blank">NYU-Poly Bulk_Extractor Video Overview.</a> </li>
</ul>
<div>
<br /></div>
</div>
Unknownnoreply@blogger.com4tag:blogger.com,1999:blog-114124230733856093.post-80934385062383728612013-05-07T13:59:00.003-07:002013-05-08T04:20:56.610-07:00Setting Up A Forensic Hash Server Using Nsrlsvr<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3pBoz01IOe-P5Y3SHVk7MdGSKqPMBKdnnzloMM7QHRFzn4XpM1XHCEWaC2KxWCAVG2DCZP61dZpEqFEC47Efa0g0PMVlS7BERktW0q9x5BjnUEBjDT8l6niCccGabm4IQg9SirC5e4cg/s1600/nsl2small.gif" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3pBoz01IOe-P5Y3SHVk7MdGSKqPMBKdnnzloMM7QHRFzn4XpM1XHCEWaC2KxWCAVG2DCZP61dZpEqFEC47Efa0g0PMVlS7BERktW0q9x5BjnUEBjDT8l6niCccGabm4IQg9SirC5e4cg/s1600/nsl2small.gif" height="216" width="320" /></a></div>
<br />
When working a case involving media that contains operating system, application, and user data files, it is important to be able to efficiently and reliably differentiate files that warrant examination from those that may be normal system files. One effective way to do this is to set up a forensic hash server on your analysis network. A forensic hash server centralizes your repository of hash-sets for known files as well as provides dedicated resources for managing hash queries. Thanks to the great work done by Rob Hansen with support from RedJack Security, we can easily setup our own hash server using his <a href="http://rjhansen.github.io/nsrlsvr/" target="_blank">Nsrlsvr projec</a>t.<br />
<br />
<h4>
<u><b><span style="color: #660000; font-size: large;">Nsrlsvr Overview</span></b></u></h4>
Nsrlsvr is a C++ application that can be compiled on Linux or OSX. It takes its name from the <a href="http://www.nsrl.nist.gov/index.html" target="_blank">National Software Reference Library</a> (NSRL) project which is maintained by NIST and supported by the Department of Homeland Security and other law enforcement agencies. The NSRL is an <u>extremely</u> large database of known/valid application files, their file hashes (md5,sha1sum), and associated metadata. While the NSRL is a wonderful resource, its overall size (over 30 million entries) and flat text format make it unwieldy to run a large number of queries against (trust me - you don't want to grep or findstr against this). That is where Nsrlsvr<b> </b>comes in. Nsrlsvr loads this data set into memory and makes it easy to perform bulk hash lookups using standard open-source forensic tools (in particular md5deep).<br />
<br />
<h3>
<b><u><span style="color: #660000; font-size: large;">Server Setup: Compiling Nsrlsvr</span></u></b></h3>
Compiling Nsrlsvr is not difficult provided you have enough disk space and a few gigs of RAM. Here are some basic setup instructions for getting this running under <a href="http://ronin-linux.org/" target="_blank"><span style="background-color: #f8f8f8; font-family: arial; line-height: 24px;">RŌNIN</span>-Linux</a>.<br />
<br />
<b><span style="color: red;">Step1 - </span> <a href="https://github.com/rjhansen/nsrlsvr/zipball/master" target="_blank">Download zip of latest release of Nsrlsvr</a>.</b><br />
<br />
<u><span id="docs-internal-guid-3705a59a-7c14-4fd2-78e0-ed4e22715994"><span style="color: red;"><b>Step 2.</b></span></span><b> Basic Compile</b></u><br />
<b style="font-weight: normal;"><i>( Note: During the configuration stage, scripts will download the NSRL database and process it; this may take some time depending on your bandwidth and system resources.)</i><br /><span style="color: blue; font-family: 'Courier New'; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"></span></b><br />
<div dir="ltr">
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: #434343; border: 1px solid #000000; padding: 7px 7px 7px 7px; vertical-align: top;"><table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: black; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><span style="color: orange; font-family: Courier New, Courier, monospace;">sudo apt-get install build-essential<br />unzip ./rjhansen-nsrlsvr*.zip<br />cd ./rjhansen-nsrlsvr*<br />./configure && make<br />sudo make install</span></td></tr>
</tbody></table>
<span style="background-color: transparent; color: blue; font-family: 'Courier New'; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"></span></td></tr>
</tbody></table>
</div>
<b style="font-weight: normal;">At the end of the build, you should have a nsrlsvr binary (/usr/local/bin/nsrlsvr ) as well as a master hash table extracted from the NSRL data-set (/usr/local/share/nsrlsvr/NSRLFile.txt ).</b><br />
<div dir="ltr">
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody></tbody></table>
</div>
<br />
<b><u>Launching Nsrlsvr </u></b><br />
If you take a look at the man page for Nsrlsvr, you'll that it is really easy to fire-up following installation. To spawn a nsrlsvr daemon that is loaded with the NSRL reference data set, we can simply issue the command (can drop this in rc.local to run on each boot):<br />
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: #434343; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: black; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><span style="color: orange; font-family: Courier New, Courier, monospace;">nsrlsvr</span></td></tr>
</tbody></table>
<span style="color: blue; font-family: 'Courier New'; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"></span></td></tr>
</tbody></table>
<br />
( Note: The default tcp port for this process will be 9120. Also, the nsrlsvr daemon consumes a good bit of RAM when loading the NSRL reference data set. Developer recommends 8GB RAM and 64-bit OS for adequate performance).<br />
<br />
<b><u><span style="color: #660000; font-size: large;">Client Setup: Compiling Nsrllookup</span></u></b><br />
Our analysis systems will also need software installed to be able to issue hash lookup queries queries to the Nsrlsvr daemon. To handle this we will install <a href="http://rjhansen.github.io/nsrllookup/">Nsrllookup</a>.<br />
<br />
Linux compile instructions are below. If your analysis systems run Windows, the developer also provides pre-compiled binaries (<a href="http://sixdemonbag.org/nsrlquery/nsrllookup-1.2.2-win32.zip">32-bit</a>, <a href="http://sixdemonbag.org/nsrlquery/nsrllookup-1.2.2-win64.zip">64-bit</a>).<br />
<br />
<b><u><span style="color: red;">Step1</span><span style="color: #274e13;">.</span> <a href="https://github.com/rjhansen/nsrllookup/zipball/master" target="_blank">Download zip of the latest release of Nsrllookup</a>.</u></b><br />
<br />
<b><u><span style="color: red;">Step 2.</span> Basic Compile</u></b><br />
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: #434343; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: black; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><table style="border-collapse: collapse; border: none; width: 624px;"><tbody>
<tr style="height: 0px;"><td style="background-color: black; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><span style="color: orange; font-family: Courier New, Courier, monospace;">sudo apt-get install build-essential<br />unzip ./rjhansen-nsrllookup*.zip<br />cd ./rjhansen-nsrllookup*<br />./configure && make<br />sudo make install</span></td></tr>
</tbody></table>
<span style="color: blue; font-family: 'Courier New'; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"></span><br /></td></tr>
</tbody></table>
</td></tr>
</tbody></table>
<br />
<b style="font-weight: normal;">At the end of this build, you should have a nsrllookup binary (/usr/local/bin/nsrlookup).</b><br />
<b style="font-weight: normal;"><br /></b>
<b><u><span style="color: #660000; font-size: large;">Performing Hash Lookups</span></u></b><br />
<b style="font-weight: normal;">Now that we have the server up and running and our client has a query tool installed, we can start performing hash lookups. To do this we will use the md5deep utility to compute the hashes and Nsrllookup to issue queries against our hash server:</b><br />
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: #434343; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: black; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><span style="color: orange; font-family: Courier New, Courier, monospace;">md5deep -r ./image_mount_point/|nsrllookup -K known_files.txt -U unknown_files.txt -s hashserverip</span></td></tr>
</tbody></table>
</td></tr>
</tbody></table>
<br />
With this command, we are using md5deep to perform a recursive scan (-r) of all files contained within our image mount directory. We are piping the returned hash values to Nsrlookup which is in turn querying our central hash server. The flags (-K, -U) sort queried files into two categories based on whether files matches (known) an entry in the NSRL reference data set or they are not matched (unknown). With these two report files, we are now able to focus-in our review efforts on those entries/objects which were not located in the NSRL database.<br />
<b><u><span style="color: #660000; font-size: large;"><br /></span></u></b>
<b><u><span style="color: #660000; font-size: large;">Using Custom HashSets</span></u></b><br />
Nsrlsvr is also capable of loading custom hash sets that you provide. This is a useful function as you can launch multiple nsrlserv processes on varied ports that allow you to query against different hash sets.<br />
<br />
If you're responsible for DFIR in corporate or other enterprise computing environment, this function can be really useful for building and loading hashes from desktop and server gold build images. Another usage idea would be to create a cron job that generates hash files (and/or piecewise hashes) for any malicious files (in-house zoo), illegal images, or other content that you might want to do initial sweeps for early on in an investigation. To build a custom hash set, we use md5deep and perform some string manipulations to get it into a format that Nsrlserv will readily parse (see below).<br />
<br class="Apple-interchange-newline" />
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: #434343; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: black; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><pre style="white-space: pre-wrap; word-wrap: break-word;"><span style="color: orange; font-family: Courier New, Courier, monospace;">md5deep -r -c /media/goldimage/|tr '[:lower:]' '[:upper:]'|tr "," "
"|awk {'print $1'} > goldimage.hash</span></pre>
</td></tr>
</tbody></table>
<span style="background-color: transparent; color: blue; font-family: 'Courier New'; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"></span></td></tr>
</tbody></table>
<br />
<br class="Apple-interchange-newline" />
We can then fire-up and background another Nsrlserv process by doing the following:<br />
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: #434343; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: black; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><span style="color: orange; font-family: Courier New, Courier, monospace;">nohup nsrlsvr -S -f goldimage.hash -p 7070 2 & >&1</span></td></tr>
</tbody></table>
</td></tr>
</tbody></table>
(This binds the new nsrlsvr process to tcp port 7070).<br />
<div>
<br /></div>
<div>
To run a query against this new listener we can point nsrlookup on our client to this new port (7070) and print known files in our custom hash set (-k for known):</div>
<div>
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: #434343; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: black; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><span style="color: orange; font-family: Courier New, Courier, monospace;">md5deep -r /image_mount_point/|nsrllookup -k -s serverip -p 7070</span></td></tr>
</tbody></table>
<span style="background-color: transparent; color: blue; font-family: 'Courier New'; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"></span></td></tr>
</tbody></table>
</div>
<div>
<br /></div>
<div>
We can also actually chain queries using these multiple nsrlsvr listeners. For example, if you want to list all files whose hash values do not match any entry (-u for unknown) in both the core NSRL data set or your custom data set; you can do something like this:</div>
<div>
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: #434343; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: black; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><span style="color: orange; font-family: 'Courier New', Courier, monospace;">md5deep -r /image_mount_point/|nsrllookup -u|nsrllookup -u -s serverip -p 7070</span><span style="color: orange; font-family: 'Courier New', Courier, monospace;"> </span></td></tr>
</tbody></table>
<span style="background-color: transparent; color: blue; font-family: 'Courier New'; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"></span></td></tr>
</tbody></table>
</div>
<div>
<br />
As we can see, Nsrlserv and Nsrllookup are really useful resources to help with data reduction at the onset of an investigative case as well as for quick review of content that you want to flag. </div>
Unknownnoreply@blogger.com5tag:blogger.com,1999:blog-114124230733856093.post-797270020818165472013-05-02T11:51:00.002-07:002013-05-07T06:04:53.072-07:00Quick DLP Scans With ClamAV<br />
<div class="separator" style="clear: both; text-align: right;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiXjGSHADi4h1IJiz7Ry_b_DtljoU-4ePm3PCRA4V09MzkRWf9wIvmrGD-YqId5UiMS0aZbDtMDC2EeNgyk9XycZCzKaMzoU5m7R6TnLKcck-YnzjmP1BW4LoXNuMbWZDGHn4frKw12sA/s1600/images.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiXjGSHADi4h1IJiz7Ry_b_DtljoU-4ePm3PCRA4V09MzkRWf9wIvmrGD-YqId5UiMS0aZbDtMDC2EeNgyk9XycZCzKaMzoU5m7R6TnLKcck-YnzjmP1BW4LoXNuMbWZDGHn4frKw12sA/s1600/images.jpg" /></a><span style="background-color: white; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px;"></span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="text-align: left;">Did you know that ClamAV has a DLP module that can scan for credit cards or social security numbers contained in files? One reason that it is interesting</span> is that ClamAV is found on almost all linux security distros (including <span style="background-color: #f8f8f8; line-height: 24px;"><span style="font-size: x-small;"><a href="http://ronin-linux.org/">RŌNIN</a></span></span><span style="background-color: #f8f8f8; font-size: 20px; line-height: 24px;">)</span> and is easily launched from the command line. If you've ever worked breach cases in data environments covered under PCI-DSS or HIPAA, you know that one of the first questions to answer is: <b>Did personally identifiable information (PII) exist on the compromised system?</b><span style="color: #660000;"> </span>To that end<span style="color: #660000;">, </span>having a quick and readily available DLP scanning tool is a useful capability.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="text-align: left;">
<b><u><span style="color: #660000; font-size: large;">Running DLP Scan Using ClamScan</span></u></b></div>
<div style="text-align: left;">
You can run a DLP (and AV sweep) using the ClamAv command line scanner, <a href="http://linux.die.net/man/1/clamscan">clamscan</a>, and following options:</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: #434343; border: 1px solid rgb(0, 0, 0); padding: 7px; vertical-align: top;"><span style="color: orange;"><span style="font-family: 'Courier New', Courier, monospace;">clamscan -r --detect-structured=yes --structured-ssn-format=2 --structured-ssn-count=5 </span><i style="font-family: 'Courier New', Courier, monospace;">--structured-cc-count=5 </i><span style="font-family: 'Courier New', Courier, monospace;">directorypath</span></span></td></tr>
</tbody></table>
</div>
<div style="text-align: left;">
<span style="color: #0c343d;"><b><i><u>Command breakdown</u></i></b></span><br />
<span style="color: #0c343d;"><b><i>-r (recursive file scanning)<br />--detect-structured (yes turns on DLP matching. no by default)<br />--structured-ssn-format=2 (this tells scanner to match both ###-##-#### and #########).<br />--structured--ssn-count (number of ssn matches/hits to exceed before reporting)</i>
</b></span></div>
<div style="text-align: left;">
<i><span style="color: #0c343d;"><b>--structured-cc-count (number of ccn matches/hits to exceed before reporting)</b></span></i></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b><u><span style="color: #660000; font-size: large;">Testing ClamAV DLP Module</span></u></b></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="background-color: white; line-height: 18px;">To test ClamAV's DLP module, you can use a great </span><a href="http://www.identityfinder.com/kb/Getting-Started/110845" style="background-color: white; line-height: 18px;">DLP test data-set</a><span style="background-color: white; line-height: 18px;"> provided by IdentityFinder. </span></span><span style="background-color: white; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; line-height: 18px;">T</span><span style="background-color: white; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; line-height: 18px;">his data-set is comprised of a number of files that contain fake ssns, ccns, and other elements of PII distributed across a wide range of common file for</span><span style="background-color: white; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; line-height: 18px;">mats.</span><br />
<span style="background-color: white; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px;"><br /></span></div>
<div class="post-body entry-content" id="post-body-1961669043104946258" itemprop="description articleBody" style="background-color: white; position: relative; width: 586px;">
<div>
<div style="line-height: 18px;">
<span style="font-family: Arial, Helvetica, sans-serif;">If we fire off a scan of this data set using clamscan we get the following results:</span></div>
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="line-height: 18px;"><b>c<span style="color: #0c343d;">lamscan -r --detect-structured=yes --structured-ssn-format=2 --structured-ssn-count=1 --structured-cc-count=1 ./Identity_Finder_Test_Data</span></b></span></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="color: #0c343d; line-height: 18px;"><b>./Identity_Finder_Test_Data/Employee Database.accdb: OK</b></span></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="color: #0c343d; line-height: 18px;"><b>./Identity_Finder_Test_Data/Hidden Column.xls: OK</b></span></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="color: #0c343d; line-height: 18px;"><b>./Identity_Finder_Test_Data/Department.csv: Heuristics.Structured.SSN FOUND</b></span></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="color: #0c343d; line-height: 18px;"><b>./Identity_Finder_Test_Data/college essay w footer.doc: OK</b></span></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="color: #0c343d; line-height: 18px;"><b>./Identity_Finder_Test_Data/Fake SSNs/fake_ssn.txt: Heuristics.Structured.SSN FOUND</b></span></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="color: #0c343d; line-height: 18px;"><b>./Identity_Finder_Test_Data/Contacts.pptx: Heuristics.Structured.SSN FOUND</b></span></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="color: #0c343d; line-height: 18px;"><b>./Identity_Finder_Test_Data/loans.xlsx: Heuristics.Structured.SSN FOUND</b></span></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="color: #0c343d; line-height: 18px;"><b>./Identity_Finder_Test_Data/Samples/SSN.txt: Heuristics.Structured.SSN FOUND</b></span></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="color: #0c343d; line-height: 18px;"><b>./Identity_Finder_Test_Data/Samples/Sample Real CCN.txt: Heuristics.Structured.CreditCardNumber FOUND</b></span></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="color: #0c343d; line-height: 18px;"><b>./Identity_Finder_Test_Data/2009 class.docx: Heuristics.Structured.SSN FOUND</b></span></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="color: #0c343d; line-height: 18px;"><b>./Identity_Finder_Test_Data/Tax Return 2008.pdf: Heuristics.Structured.CreditCardNumber FOUND</b></span></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="color: #0c343d; line-height: 18px;"><b>./Identity_Finder_Test_Data/Credit Report.pdf: Heuristics.Structured.CreditCardNumber FOUND</b></span></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="color: #0c343d; line-height: 18px;"><b>./Identity_Finder_Test_Data/Employee Database.mdb: OK</b></span></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="color: #0c343d; line-height: 18px;"><b>./Identity_Finder_Test_Data/request.zip: Heuristics.Structured.CreditCardNumber FOUND</b></span></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="color: #0c343d; line-height: 18px;"><b>./Identity_Finder_Test_Data/application.pdf: Heuristics.Structured.CreditCardNumber FOUND</b></span></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="color: #0c343d; line-height: 18px;"><b>./Identity_Finder_Test_Data/students.ppt: Heuristics.Structured.SSN FOUND</b></span></span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">From the output we can see that ClamAV found PII in a large number but not all of these files (which we should have with low count levels). In particular, the DLP module seems to have a hard time identifying PII contained in access database files, excel docs with hidden columns, and word document footers. As </span>ClamAV's DLP functionality is based on parsing binary streams for matches on structured data (regex), it seems to have issues with formats that do not employ straight-forward textual encoding.<br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><span style="font-family: Arial, Helvetica, sans-serif;">For a comprehensive DLP sweep, we'd want to look to a tool like <a href="https://code.google.com/p/opendlp/">OpenDLP</a> or commercial tools like <a href="http://www.identityfinder.com/">Identity Finder</a>. However for a quick initial review, ClamAV's DLP scanning features are very good for performing cursory assessments.</span></div>
<div style="clear: both; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px;">
</div>
</div>
<div class="post-footer" style="background-color: white; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 1.6; margin: 1.5em 0px 0px;">
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-114124230733856093.post-19616690431049462582013-04-30T12:32:00.002-07:002013-05-05T08:57:06.525-07:00Installing Log2TimeLine on Ubuntu 12.10<div class="separator" style="clear: both; text-align: center;">
</div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDNjoKWzSjyWaW03lnJl_gS_W7UbuuACiTZpt1VHbxruAuOjzWNWqezC5PY0cWy1FVGsXl55Ur0VK9zvO5N_OmCtw75Tz7pcjJdKtSulm8Pu6xfYg65GuK9QfvoqmnU1olymjKbsJKxEk/s1600/log2timeline_image.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDNjoKWzSjyWaW03lnJl_gS_W7UbuuACiTZpt1VHbxruAuOjzWNWqezC5PY0cWy1FVGsXl55Ur0VK9zvO5N_OmCtw75Tz7pcjJdKtSulm8Pu6xfYg65GuK9QfvoqmnU1olymjKbsJKxEk/s1600/log2timeline_image.jpg" /></a>Here's a quick and pain-free way to get <a href="http://log2timeline.net/">Log2Timeline</a> installed on Ubuntu 12.10 (and most likely 13.04 as well).<br />
<div>
<br /></div>
<div>
<b><u>Step1 (Package Dependencies)</u></b></div>
<div>
sudo apt-get install libjson-xs-perl libwww-perl libdatetime-format-strptime-perl libparse-win32registry-perl libnetpacket-perl perl-modules libdate-manip-perl libversion-perl libdigest-crc-perl libdbd-sqlite3-perl libcarp-assert-perl libglib-perl libgtk2-perl libimage-exiftool-perl libhtml-scrubber-perl libdbi-perl libxml-libxml-perl libarchive-zip-perl libarchive-any-perl libnet-pcap-perl libdatetime-perl perl gcc build-essential</div>
<div>
<br /></div>
<div>
<b><u>Step2 (Additional Perl Modules)</u></b></div>
<div>
<div>
perl -MCPAN -e 'install Data::Hexify'</div>
<div>
perl -MCPAN -e 'install File::Mork'</div>
<div>
perl -MCPAN -e 'install Mac::PropertyList'</div>
<div>
perl -MCPAN -e 'install XML::Entities'</div>
</div>
<div>
<br /></div>
<div>
<b><u>Step3 (Compile Time)</u></b></div>
<div>
curl http://log2timeline.net/files/log2timeline_0.63.tgz|tar xvz</div>
<div>
cd ./log2timeline&&perl Makefile.PL</div>
<div>
make && make install </div>
<div>
<br />
Enjoy!</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-114124230733856093.post-59997755118882330242013-04-10T05:49:00.000-07:002013-07-30T06:02:59.941-07:00Avoiding Security Monoculture<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi31eEdn4axLBx6SCHAP12_rx1r7n637YBQI8R1lnfCiXQuFBsbhbr-flk9MMQo52SCnzZfBHcQautbfujP1VRhj2k6LTZF6V-f_AHPbuS8vWrd66NnTWd6rNY5HUi6aaNhJMrX2Gj9ZXcn/s1600/monoculture.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi31eEdn4axLBx6SCHAP12_rx1r7n637YBQI8R1lnfCiXQuFBsbhbr-flk9MMQo52SCnzZfBHcQautbfujP1VRhj2k6LTZF6V-f_AHPbuS8vWrd66NnTWd6rNY5HUi6aaNhJMrX2Gj9ZXcn/s1600/monoculture.jpg" width="320" /></a>Ever so often we hear proclamations that certain security technologies, like antivirus, are failing so badly that they should be regarded as bygone defenses of simpler times. These types of arguments arise with great regularity-- anyone remember the supposed demise of IDS? While it's true that organizations are still spending a large percentage of their security budget on the "FAI" triad (Firewalls, Antivirus, IDS), there is no question as to whether these foundational defenses should be deployed (imagine a day without antivirus? no thank you!).<br />
<br />
The bigger issue lurking behind our own reaction to the latest dismal AV catch-rate statistics or painful breach analysis is one that we aren't talking enough about. This is an issue that I call <b>security monoculture</b>.<br />
<br />
The term monoculture found its origin in the agriculture industry. To drive greater yields, farmers began producing genetically similar species of crops. The benefits of this approach included standardized production cycles, fertilization methods, and pest control techniques which could be scaled at less expense. The net impact of these innovations are extremely impressive (if you've ever driven across any of the state in the great plains, the results of this approach are quite hard to miss.); however, all choices have consequences on both sides of the ledger. In the way that every plant in a genetically similar monoculture has common defenses against threats, similarly, all members of the monoculture share common weaknesses. For this reason, diseases or pests who successfully establish themselves in these environments are capable of causing extreme damage.<br />
<br />
You might ask what agriculture has to do with information security. The truth is that there are trends in information security that invariably push us toward our own security monocultures. More specifically, there are a large number of organizations that have adopted security architectures whose defenses, processes, and methods are so similar that their risks are magnified substantially.<br />
<br />
As a quick case in point, let's take our much beloved defense-in-depth strategy. Defense-in-depth (DID for short) is in the heart and soul of every information security practitioner right up there with the CIA triad and Shon Harris books. The concept behind defense-in-depth is extremely logical: to defend the things we care about, we build our defenses in a manner where the failure of one control/defense can be compensated by the operation of another. It is quite easy and correct to visualize defense-in-depth architectures as a series of concentric circles: valuables inside, controls/defenses in-between, and evil outside the gates. A full discussion of contemporary challenges for the DID model is a topic unto itself. A key issue with defense-in-depth is not whether it is logical, rather, it is whether our approach to DID incorporates enough defensive diversity.<br />
<br />
When we take a look at many organizations, we unfortunately often find the same security solutions mixed in with the same security deficits. This lack of defensive diversity is a god-send to an adversary who wishes us harm. From the perspective of a hostile actor intent on exfiltrating data, the fact that our defensive controls are so similar means that she needs to modify very few of her methods to successfully evade detection and accomplish her mission.<br />
<br />
Avoiding security monoculture requires a few things from us that start with our mindset and end in our practices:<br />
<ul>
<li><b>Willingness To Lead</b> - As security professionals we have to be accountable for our decisions and our performance. With security, however, there can be a great pressure to be in lockstep with our peers. If we are defending like everyone else and get hit, then it can honestly feel reassuring to be able to state: "Everyone else is doing it this way." Don't fall into this trap. It is one thing to selectively adopt good practices, but we must realize that all environments present unique challenges. Be decisive and address these challenges based on your research, your experience, your best judgement and take accountability for your decisions.</li>
<li><b>Compliance <span style="background-color: white; text-align: -webkit-center;">≠ Security</span></b> - If we are only concerned with making sure that all the checkboxes are filled, then we've embraced an approach that leads very quickly to security monoculture. Compliance should be treated as risk to be managed and not an end-goal. Any static defensive position becomes an almost immediate advantage to an adversary. Don't just reach compliance requirements and stop-- we have to keep going and develop our defenses in a manner that makes the most sense for our organizations.</li>
<li><b>Do The Basics Extremely Well - </b>Often with security architecture we can build great walls around some really shoddy buildings. While it is great fun to explore the latest exploit or new technology, we have to focus our efforts first and foremost on basic foundational practices like patch management, IAM, and change management review. By formalizing and consistently executing these practices, we gain a great deal of differentiation from a large number of other organizations.</li>
<li><b>Active Defenses</b> - This term seems to be somewhat en-vogue though it is often misunderstood. Active defense isn't equivalent to "hacking back". A significant idea behind active defense is the implementation of non-passive controls which offer denial and deception capabilities. The utility of active defense approach can be immense, and more organizations need to begin to develop defensive stratagems that include these measures. </li>
</ul>
The challenges of security monoculture are significant, but organizations who understand this reality can, ironically, turn this situation to their advantage. Defensive strategies which cultivate and exploit adversaries' own empirical assumptions can be extremely powerful.<br />
<div>
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-114124230733856093.post-3943878770695759112013-02-07T06:00:00.000-08:002013-07-30T06:03:39.091-07:00Simple Answers To Security Complexity<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_hFpe8-pQJIX1gteTSqeNsezEB1p_12w94kOoFqBUqPD4ODb_3iPHUdeVsmz_Kv1AKjIla4h0jyvIXKKvw_JGtMiN3TkmKW2wkzA0qx5ohrI8WWzBnUfLoh5g1EXDqpM92fs0q6jp0s4/s1600/200px-Prim_Maze.svg.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_hFpe8-pQJIX1gteTSqeNsezEB1p_12w94kOoFqBUqPD4ODb_3iPHUdeVsmz_Kv1AKjIla4h0jyvIXKKvw_JGtMiN3TkmKW2wkzA0qx5ohrI8WWzBnUfLoh5g1EXDqpM92fs0q6jp0s4/s1600/200px-Prim_Maze.svg.png" /></a></div>
<span style="background-color: white; font-family: 'Trebuchet MS', Trebuchet, Verdana, sans-serif; font-size: 13px; line-height: 18px;">One of the old adages in information security is that "complexity is the enemy of security". The reasoning </span><span style="background-color: white; font-family: 'Trebuchet MS', Trebuchet, Verdana, sans-serif; font-size: 13px; line-height: 18px;">behind this is simple. Complex systems are much harder to map-out (large attack surfaces), are often very difficult to manage effectively, and the long-term behavior of a complex system is more difficult to predict reliably (vulnerabilities + fault conditions). </span><br />
<br style="background-color: white; font-family: 'Trebuchet MS', Trebuchet, Verdana, sans-serif; font-size: 13px; line-height: 18px;" />
<span style="background-color: white; font-family: 'Trebuchet MS', Trebuchet, Verdana, sans-serif; font-size: 13px; line-height: 18px;">This adage is less of an academic or philosophical statement as it is an observation borne out by more than a few (usually quite painful) professional experiences concerning the impacts of complexity. Given these experiences, one might assume that we've all learned our lesson and issued a declaration of "never again". </span><br />
<br style="background-color: white; font-family: 'Trebuchet MS', Trebuchet, Verdana, sans-serif; font-size: 13px; line-height: 18px;" />
<span style="background-color: white; font-family: 'Trebuchet MS', Trebuchet, Verdana, sans-serif; font-size: 13px; line-height: 18px;">Except, of course, we can't really say this. Complexity is unavoidable amid organizational pressure to integrate, deliver, and leverage IT systems on ever shorter time horizons.</span><i style="background-color: white; color: red; font-family: 'Trebuchet MS', Trebuchet, Verdana, sans-serif; font-size: 13px; font-weight: bold; line-height: 18px;"> </i><span style="background-color: white; color: red; font-family: 'Trebuchet MS', Trebuchet, Verdana, sans-serif; font-size: 13px; font-weight: bold; line-height: 18px;"> </span><span style="background-color: white; font-family: 'Trebuchet MS', Trebuchet, Verdana, sans-serif; font-size: 13px; line-height: 18px;">However, IT</span><i style="background-color: white; color: red; font-family: 'Trebuchet MS', Trebuchet, Verdana, sans-serif; font-size: 13px; font-weight: bold; line-height: 18px;"> </i><span style="background-color: white; font-family: 'Trebuchet MS', Trebuchet, Verdana, sans-serif; font-size: 13px; line-height: 18px;">specialists aren't the only ones feeling the brunt of this. Contractual, legal, and regulatory complexity is also growing to an all time high. So much for simplicity, right?</span><br />
<br style="background-color: white; font-family: 'Trebuchet MS', Trebuchet, Verdana, sans-serif; font-size: 13px; line-height: 18px;" />
<span style="background-color: white; font-family: 'Trebuchet MS', Trebuchet, Verdana, sans-serif; font-size: 13px; line-height: 18px;">Well, the truth is</span><b style="background-color: white; font-family: 'Trebuchet MS', Trebuchet, Verdana, sans-serif; font-size: 13px; line-height: 18px;"> you can't manage complexity with even more complexity</b><span style="background-color: white; font-family: 'Trebuchet MS', Trebuchet, Verdana, sans-serif; font-size: 13px; line-height: 18px;">. Now more than ever, managing Information Security challenges require a solid grasp of the answers to some</span><b style="background-color: white; font-family: 'Trebuchet MS', Trebuchet, Verdana, sans-serif; font-size: 13px; line-height: 18px;"> deviously simple questions</b><span style="background-color: white; font-family: 'Trebuchet MS', Trebuchet, Verdana, sans-serif; font-size: 13px; line-height: 18px;">. The answers to these questions are fundamental as they form a map to what really matters most. Three very fundamental simple questions that </span><u style="background-color: white; font-family: 'Trebuchet MS', Trebuchet, Verdana, sans-serif; font-size: 13px; line-height: 18px;">must</u><span style="background-color: white; font-family: 'Trebuchet MS', Trebuchet, Verdana, sans-serif; font-size: 13px; line-height: 18px;"> be answered include:</span><br />
<ol style="background-color: white; font-family: 'Trebuchet MS', Trebuchet, Verdana, sans-serif; font-size: 13px; line-height: 18px;">
<li style="margin: 0px 0px 0.25em; padding: 0px;"><b>What are the mission and goals of your organization?</b><b> </b></li>
<li style="margin: 0px 0px 0.25em; padding: 0px;"><b>What does "security" mean in context to these objectives?</b></li>
<li style="margin: 0px 0px 0.25em; padding: 0px;"><b>How can you <u>consistently</u> generate and demonstrate value in support of these goals?</b></li>
</ol>
<br style="background-color: white; font-family: 'Trebuchet MS', Trebuchet, Verdana, sans-serif; font-size: 13px; line-height: 18px;" />
<span style="background-color: white; font-family: 'Trebuchet MS', Trebuchet, Verdana, sans-serif; font-size: 13px; line-height: 18px;">The key element with each of these questions is understanding how the mission of your information security program fits into the "big picture" of your organization. There is a reason, however, why these are </span><i style="background-color: white; font-family: 'Trebuchet MS', Trebuchet, Verdana, sans-serif; font-size: 13px; line-height: 18px;"><u>deviously</u></i><span style="background-color: white; font-family: 'Trebuchet MS', Trebuchet, Verdana, sans-serif; font-size: 13px; line-height: 18px;"> simple questions. Finding the answers is a bit like assembling a puzzle. Your senior executives will have some crucial pieces, but you will discover that other key insights come from line managers and end-users. Knowledge of varied business operation requirements within your organization is also essential to identifying which pragmatic security-tradeoffs both protect and enhance the capability of your organization to hit its targets.</span><br />
<br style="background-color: white; font-family: 'Trebuchet MS', Trebuchet, Verdana, sans-serif; font-size: 13px; line-height: 18px;" />
<span style="background-color: white; font-family: 'Trebuchet MS', Trebuchet, Verdana, sans-serif; font-size: 13px; line-height: 18px;">Obviously, you build and refine this picture over time and continually adjust your security program in commensuration not only to new threats/obstacles but also to the evolution of new goals and opportunities. Unfortunately though, many often put the cart before the horse. They attempt to deal with complex issues (the "how') before they've attempted to gain any insight into basics (the "why"). Failures to address (and readdress) these simple questions inevitably lead to very costly and visible course corrections.</span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-114124230733856093.post-44381922370677065522012-07-24T08:51:00.000-07:002013-04-30T13:33:27.564-07:00Collaborative PenTest Platform with EC2, Metasploit, and Armitage<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5Y29vVvhZ19A2chGGD0Bp2VMaCipm6mQDCXt65t1UOd83bU2B9Mwz9j81L1Y5I4c46QJXZx9SWWm_tWSo4plh00yYxL4cK4ztGaf03J__QGyowchayks6r_FcNe-Iev6qS2OXiI-d1IY/s1600/blog-cloud_collabpt_1.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5Y29vVvhZ19A2chGGD0Bp2VMaCipm6mQDCXt65t1UOd83bU2B9Mwz9j81L1Y5I4c46QJXZx9SWWm_tWSo4plh00yYxL4cK4ztGaf03J__QGyowchayks6r_FcNe-Iev6qS2OXiI-d1IY/s1600/blog-cloud_collabpt_1.jpg" /></a></div>
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">This post will go over how to establish a relatively low cost penetrating testing framework using </span><a class="externalLink" href="http://aws.amazon.com/ec2/" style="background-color: white; color: #0044bb; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" target="_blank" title="External link to http://aws.amazon.com/ec2/">Amazon Cloud (EC2)</a><span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;"> and leveraging collaborative "red-teaming" </span><br />
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">functionality using </span><a class="externalLink" href="https://github.com/rapid7/metasploit-framework#readme" style="background-color: white; color: #0044bb; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" target="_blank" title="External link to https://github.com/rapid7/metasploit-framework#readme">Metasploit Framework</a><span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;"> and </span><a class="externalLink" href="http://www.fastandeasyhacking.com/" style="background-color: white; color: #0044bb; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" target="_blank" title="External link to http://www.fastandeasyhacking.com/">Armitage</a><span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">'s </span><a class="externalLink" href="http://www.google.com/url?sa=t&rct=j&q=armitage%20deconfliction%20&source=web&cd=3&ved=0CFEQFjAC&url=http%3A%2F%2Fwww.fastandeasyhacking.com%2Fdownload%2Frsmudge_usenix_login_attack_collaboration.pdf&ei=UYn7T67pLYim9AS2saX_Bg&usg=AFQjCNHqJwqtleTCgLfc2GRU99QO7DOHqA&cad=rja" style="background-color: white; color: #0044bb; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" target="_blank" title="External link to http://www.google.com/url?sa=t&rct=j&q=armitage%20deconfliction%20&source=web&cd=3&ved=0CFEQFjAC&url=http%3A%2F%2Fwww.fastandeasyhacking.com%2Fdownload%2Frsmudge_usenix_login_attack_collaboration.pdf&ei=UYn7T67pLYim9AS2saX_Bg&usg=AFQjCNHqJwqtleTCgLfc2GRU99QO7DOHqA&cad=rja">deconfliction services</a><span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">.</span><br />
<br style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" />
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">Deploying this type of collaborative penetration testing environment in Amazon's cloud (</span><span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">EC2</span><span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">) offers some nice benefits:</span><br />
<ul style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px; margin-left: 0.5em; padding-left: 1.5em;">
<li>On Demand / Low Cost - You can spin up or bring your penetration testing platform as needed and you only pay for the resources you consume them.</li>
<li>Scalable - If your project or engagement requires a more computing power then you can easily bring this to bear.</li>
<li>High bandwidth - Bottlenecks are reduced for network assessment activities that might tax other uplinks.</li>
<li>Quick External viewpoint - For internal security teams, AWS instances provide a convenient vantage point to test/simulate attacker actions from outside back in.</li>
<li>Team From Anywhere - By focusing your efforts through a central cloud instance, your assessment team can initiate their testing activities easily through central IP without need of additional VPN.</li>
</ul>
<br style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" />
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">At the end of this setup you will be able to share scans results, metasploit sessions, and more between team members. See the video below for usage examples:</span><br />
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;"><iframe allowfullscreen="" frameborder="0" height="314" src="http://www.youtube.com/embed/coF8dVLBnOQ" width="516"></iframe></span><br style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" />
<br style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" />
<br style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" />
<h3 style="background-color: white; border-bottom-color: rgb(204, 204, 204); border-bottom-style: solid; border-bottom-width: 1px; color: #884411; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 1.1em; line-height: 16.796875px; margin-bottom: 0.3em; margin-top: 1.2em; padding-bottom: 1px;">
Step 1. Establish Or Login To Your Amazon Web Services Account.</h3>
<a class="externalLink" href="http://aws.amazon.com/" style="background-color: white; color: #0044bb; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" target="_blank" title="External link to http://aws.amazon.com">http://aws.amazon.com</a><br />
<br style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" />
<h3 style="background-color: white; border-bottom-color: rgb(204, 204, 204); border-bottom-style: solid; border-bottom-width: 1px; color: #884411; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 1.1em; line-height: 16.796875px; margin-bottom: 0.3em; margin-top: 1.2em; padding-bottom: 1px;">
Step 2. Setting Up An Ubuntu Instance in Amazon EC2 Cloud.</h3>
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">If you've never used </span><span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">EC2</span><span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;"> before you will definitely need to familiarize yourself with this platform.</span><br />
<br style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" />
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">Amazon has some good getting started guides here (high recommended):</span><br />
<a class="externalLink" href="http://docs.amazonwebservices.com/AWSEC2/latest/GettingStartedGuide/GetStartedLinux.html" style="background-color: white; color: #0044bb; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" target="_blank" title="External link to http://docs.amazonwebservices.com/AWSEC2/latest/GettingStartedGuide/GetStartedLinux.html">http://docs.amazonwebservices.com/AWSEC2/latest/GettingStartedGuide/GetStartedLinux.html</a><br />
<br style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" />
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">A good video tutorial walk-through has been provided on </span><span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">YouTube</span><span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">:</span><br />
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;"><iframe allowfullscreen="" frameborder="0" height="157" src="http://www.youtube.com/embed/rYJLIfVuSMY" width="280"></iframe></span><br style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" />
<br style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" />
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">The basic steps that we need to take with bring this Ubuntu Instance up is the following:</span><br />
<ul style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px; margin-left: 0.5em; padding-left: 1.5em;">
<li>Select Ubuntu Server 12.04 LTS x64</li>
<li><strong>Use Micro Tier (t1.micro, 613MB) for test setup. This may be a bit slow but it is eligble for <a class="externalLink" href="http://aws.amazon.com/free/" style="color: #0044bb;" target="_blank" title="External link to http://aws.amazon.com/free/">free usage tier</a>.</strong></li>
<li><strong>Save and Backup Your Key Pair (PEM file). Don't lose this file! You will need to access your EC2 instance.</strong></li>
<li>Create A Customized Security Group that allows inbound access to SSH (tcp 22) and Armitage Deconfliction Server (TCP 55553).</li>
</ul>
<h3 style="background-color: white; border-bottom-color: rgb(204, 204, 204); border-bottom-style: solid; border-bottom-width: 1px; color: #884411; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 1.1em; line-height: 16.796875px; margin-bottom: 0.3em; margin-top: 1.2em; padding-bottom: 1px;">
Step 3. Accessing and Configuring Ubuntu Instance</h3>
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">After your instance has started, you will need to access it using SSH and the Key file you saved.</span><br />
<pre style="background-color: #ffffcc; border: 1px solid rgb(255, 238, 136); font-size: 12px; line-height: 1.4em; margin-left: 0.5em; overflow: auto; padding: 0.5em;">chmod 400 example.pem
ssh -i example.pem ubuntu@ec2-example.compute-1.amazonaws.com
</pre>
<br style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" />
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">Once you are connected in you will need to patch the box and get some needed base packages installed (below).</span><br />
<pre style="background-color: #ffffcc; border: 1px solid rgb(255, 238, 136); font-size: 12px; line-height: 1.4em; margin-left: 0.5em; overflow: auto; padding: 0.5em;">sudo apt-get update
sudo apt-get upgrade
sudo apt-get install ruby libruby ri rubygems subversion ruby-dev libpcap-dev libpq-dev postgresql nmap
sudo gem install --no-rdoc --no-ri pg
sudo gem install msgpack
</pre>
<h3 style="background-color: white; border-bottom-color: rgb(204, 204, 204); border-bottom-style: solid; border-bottom-width: 1px; color: #884411; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 1.1em; line-height: 16.796875px; margin-bottom: 0.3em; margin-top: 1.2em; padding-bottom: 1px;">
Step 4. Installing and Configuring Metasploit</h3>
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">Grab MSF with subversion and symlink the binaries.</span><br />
<pre style="background-color: #ffffcc; border: 1px solid rgb(255, 238, 136); font-size: 12px; line-height: 1.4em; margin-left: 0.5em; overflow: auto; padding: 0.5em;">sudo svn co https://www.metasploit.com/svn/framework3/trunk/ /opt/metasploit/msf3/
sudo ln -sf /opt/metasploit/msf3/msf* /usr/local/bin/
sudo msfupdate
</pre>
<br style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" />
<h3 style="background-color: white; border-bottom-color: rgb(204, 204, 204); border-bottom-style: solid; border-bottom-width: 1px; color: #884411; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 1.1em; line-height: 16.796875px; margin-bottom: 0.3em; margin-top: 1.2em; padding-bottom: 1px;">
Step 5. Postgresql Database Setup</h3>
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">Basic DB Setup.</span><br />
<pre style="background-color: #ffffcc; border: 1px solid rgb(255, 238, 136); font-size: 12px; line-height: 1.4em; margin-left: 0.5em; overflow: auto; padding: 0.5em;">sudo /etc/init.d/postgresql start
sudo -u postgres createuser msf -P
Enter password for new role: 'enteryourpassword'
Enter it again: 'enteryourpassword'
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
sudo -u postgres createdb --owner=msf metasploit3
</pre>
<br style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" />
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">We'll need to run msfconsole and connect to database to populate the tables.</span><br />
<pre style="background-color: #ffffcc; border: 1px solid rgb(255, 238, 136); font-size: 12px; line-height: 1.4em; margin-left: 0.5em; overflow: auto; padding: 0.5em;">msfconsole
msf > db_status
[*] postgresql selected, no connection
msf > db_connect msf:yourpassword@127.0.0.1 metasploit3
NOTICE: CREATE TABLE will create implicit sequence "hosts_id_seq" for serial column "hosts.id"
NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "hosts_pkey" for table "hosts"
NOTICE: CREATE TABLE will create implicit sequence "clients_id_seq" for serial column "clients.id"
.....
msf > db_status
[*] postgresql connected to metasploit3
msf > quit
</pre>
<br style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" />
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">Echo this line out to config file to have msfconsole connect to database on startup automatically.</span><br />
<pre style="background-color: #ffffcc; border: 1px solid rgb(255, 238, 136); font-size: 12px; line-height: 1.4em; margin-left: 0.5em; overflow: auto; padding: 0.5em;">echo "db_connect msf:enteryourpassword@127.0.0.1:5432/metasploit3" > ~/.msf4/msfconsole.rc
</pre>
<br style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" />
<u style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">Database.YML</u><br />
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">We'll also need to create a database YML file so that Armitage can connect to the Postgres DB.</span><br />
<br style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" />
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">We'll place it in /opt/metasploit/msf3/database.yml</span><br />
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">It should be formatted as below replacing password with the values you set for msf db user account.</span><br />
<pre style="background-color: #ffffcc; border: 1px solid rgb(255, 238, 136); font-size: 12px; line-height: 1.4em; margin-left: 0.5em; overflow: auto; padding: 0.5em;">production:
adapter: "postgresql"
database: "metasploit3"
username: "msf"
password: "enteryourpassword"
port: 5432
host: "localhost"
pool: 256
timeout: 5
</pre>
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">After creating the file, we'll set environmental variable so that Artimage can find this.</span><br />
<pre style="background-color: #ffffcc; border: 1px solid rgb(255, 238, 136); font-size: 12px; line-height: 1.4em; margin-left: 0.5em; overflow: auto; padding: 0.5em;">sudo /bin/sh -c 'echo "MSF_DATABASE_CONFIG=/opt/metasploit/msf3/database.yml" >> /etc/environment'
</pre>
<h3 style="background-color: white; border-bottom-color: rgb(204, 204, 204); border-bottom-style: solid; border-bottom-width: 1px; color: #884411; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 1.1em; line-height: 16.796875px; margin-bottom: 0.3em; margin-top: 1.2em; padding-bottom: 1px;">
Step6. Configuring Java JRE</h3>
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">Armitage depends on Oracle's Java 1.7. You will encounter problems if you use openjdk.</span><br />
<pre style="background-color: #ffffcc; border: 1px solid rgb(255, 238, 136); font-size: 12px; line-height: 1.4em; margin-left: 0.5em; overflow: auto; padding: 0.5em;">wget --no-cookies --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F" "http://download.oracle.com/otn-pub/java/jdk/7u5-b05/jre-7u5-linux-x64.tar.gz"
tar xvzf jre-7u5-linux-i586.tar.gz
sudo mkdir /usr/lib/jvm
sudo mv jre1.7.0_05/ /usr/lib/jvm/jre1.7.0
sudo update-alternatives --install /usr/bin/java java /usr/lib/jvm/jre1.7.0/bin/java 1
sudo ln -sf /usr/lib/jvm/jre1.7.0/bin/keytool /usr/local/bin/keytool
</pre>
<br style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" />
<h3 style="background-color: white; border-bottom-color: rgb(204, 204, 204); border-bottom-style: solid; border-bottom-width: 1px; color: #884411; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 1.1em; line-height: 16.796875px; margin-bottom: 0.3em; margin-top: 1.2em; padding-bottom: 1px;">
Step 7. Starting Armitage Deconfliction Server</h3>
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">EC2</span><span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;"> uses symmetric 1:1 NAT to route traffic to instances. You will need to start Armitage Deconfliction Server on the public hostname/address associated with your </span><span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">EC2</span><span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;"> instance. </span><br />
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">(</span><em style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">Thanks To <a class="externalLink" href="http://hick.org/~raffi/index.htmll" style="color: #0044bb;" target="_blank" title="External link to http://hick.org/~raffi/index.htmll">Raphael Mudge</a> for notes on how to avoid issues here</em><span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">.)</span><br />
<br style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" />
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">We can use </span><a class="externalLink" href="http://aws.amazon.com/code/1825" style="background-color: white; color: #0044bb; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" target="_blank" title="External link to http://aws.amazon.com/code/1825">ec2metadata</a><span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;"> utility to help with this.</span><br />
<ul style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px; margin-left: 0.5em; padding-left: 1.5em;">
<li>Note: You may get some connection refused messages for several seconds after launch. Give the teamserver script time to run (esp. on Micro Tier instances).</li>
</ul>
<pre style="background-color: #ffffcc; border: 1px solid rgb(255, 238, 136); font-size: 12px; line-height: 1.4em; margin-left: 0.5em; overflow: auto; padding: 0.5em;">cd /opt/metasploit3/msf3/data/armitage
sudo ./teamserver `ec2metadata --public-hostname` testing
[+] Generating X509 certificate and keystore (for SSL)
[+] Starting RPC daemon
[*] MSGRPC starting on 127.0.0.1:55554 (NO SSL):Msg...
[*] MSGRPC backgrounding at Thu Jul 05 05:50:36 +0000 2012...
[+] sleeping for 20s (to let msfrpcd initialize)
Warning: checkError(): java.lang.RuntimeException: java.net.ConnectException: Connection refused at server.sl:392
Use the following connection details to connect your clients:
Host: ec2-23-20-105-99.compute-1.amazonaws.com
Port: 55553
User: msf
Pass: testing
Fingerprint (check for this string when you connect):
910c7589f0253a4997dbd4d1198ed76e46b91836
feel free to connect now, Armitage is ready for collaboration
</pre>
<br style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" />
<h3 style="background-color: white; border-bottom-color: rgb(204, 204, 204); border-bottom-style: solid; border-bottom-width: 1px; color: #884411; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 1.1em; line-height: 16.796875px; margin-bottom: 0.3em; margin-top: 1.2em; padding-bottom: 1px;">
Step 8. Connecting Your Red Team Members</h3>
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">You will need Oracle Java 1.7 installed on your client machines as well.</span><br />
<br style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" />
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">Aftering making sure Java is installed, download armitage from </span><a class="externalLink" href="http://www.fastandeasyhacking.com/download" style="background-color: white; color: #0044bb; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" target="_blank" title="External link to http://www.fastandeasyhacking.com/download">http://www.fastandeasyhacking.com/download</a><br />
<br style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" />
<pre style="background-color: #ffffcc; border: 1px solid rgb(255, 238, 136); font-size: 12px; line-height: 1.4em; margin-left: 0.5em; overflow: auto; padding: 0.5em;">java -jar armitage.jar
</pre>
<br style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" />
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">We'll connect to Artimage on the public DNS address with the username msf and the password we set with the teamserver script in Step7.</span><br />
<img src="http://jameswebb.me/blog/images/cloudbased_pt_armitage_1.jpg" style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" /><br />
<br style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" />
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">You need to make sure that the server fingerprint matches the console output from teamserver script.</span><br />
<img src="http://jameswebb.me/blog/images/cloudbased_pt_armitage_2.jpg" style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" /><br />
<br style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" />
<img src="http://jameswebb.me/blog/images/cloudbased_pt_armitage_3.jpg" style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" /><br />
<br style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" />
<img src="http://jameswebb.me/blog/images/cloudbased_pt_armitage_4.jpg" style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" /><br />
<br style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" />
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">Now that team members are connected the fun can begin....but see last step/note below.</span><br />
<br style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" />
<h3 style="background-color: white; border-bottom-color: rgb(204, 204, 204); border-bottom-style: solid; border-bottom-width: 1px; color: #884411; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 1.1em; line-height: 16.796875px; margin-bottom: 0.3em; margin-top: 1.2em; padding-bottom: 1px;">
Step 9. Obtaining Authorization For Penetration Testing Use.</h3>
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">Amazon will detect and throttle certain assessment activities like portscans. To remove these restrictions and avoid some inevitable abuse emails, Amazon requires that you </span><br />
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;">obtain formal authorization to use your instance as a security testing platform. This is handled by visiting the following page and filling out the linked form:</span><br />
<a class="externalLink" href="http://aws.amazon.com/security/penetration-testing/" style="background-color: white; color: #0044bb; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16.796875px;" target="_blank" title="External link to http://aws.amazon.com/security/penetration-testing/">http://aws.amazon.com/security/penetration-testing/</a>Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-114124230733856093.post-9116498619173377822012-07-23T08:36:00.000-07:002013-04-30T12:07:13.748-07:00InfoSec Job Postings - What Are Employers Telling Us?<span style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 1.4em;">The inimitable </span><a class="externalLink" href="http://krebsonsecurity.com/about/" style="color: #0044bb; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 1.4em;" target="_blank" title="External link to http://krebsonsecurity.com/about/">Brian Krebs</a><span style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 1.4em;"> has a series of interesting blog posts where he's interviewed several IS luminaries about "breaking into" Infosec fields. The advice in these articles is great and ranges from the technical to the somewhat philosophical (I especially like Schneier's prescription of - STUDY, DO, SHOW). You can check it out here:</span><br />
<div class="viewer" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 1.4em; padding-top: 0.5em;">
<a class="externalLink" href="http://krebsonsecurity.com/category/how-to-break-into-security/" style="color: #0044bb;" target="_blank" title="External link to http://krebsonsecurity.com/category/how-to-break-into-security/">http://krebsonsecurity.com/category/how-to-break-into-security/</a><br />
<br />
In addition to this excellent advice, we can also learn a great deal from IS employers via the job postings they provide AND the <strong>aggregate data indicators </strong>these posts contain concerning the knowledge, skills, certifications, and aptitudes sought for various roles. To achieve this viewpoint, I've compiled data from over 150 IS job postings(US only) looking at the weighted repetition of categorical qualifications for several popular InfoSec roles <strong>(see interactive charts below)</strong>. In addition to satisfying my own unhealthy compulsion to quantify things, there were some interesting take aways.<br />
<h3 style="border-bottom-color: rgb(204, 204, 204); border-bottom-style: solid; border-bottom-width: 1px; color: #884411; font-size: 1.1em; margin-bottom: 0.3em; margin-top: 1.2em; padding-bottom: 1px;">
Analyzing the Data: Observations and Findings</h3>
<h4 style="color: #884411; font-size: 1em; margin-top: 1em;">
#1: Communication Is <u>Critical</u> (aka Try To Act Normal)</h4>
While communication skills are frequently cited in professional postings as desired, with InfoSec positions this seems to be true without exception. As evidenced in collected data,<br />
the ability to write and speak clearly to non-technical audiences about IS issues is a <u>critical</u> skill for almost every job role. I'm sure several readers have experienced the <a class="externalLink" href="http://risensources.com/wp-content/uploads/2011/06/weird-beard.jpg" style="color: #0044bb;" target="_blank" title="External link to http://risensources.com/wp-content/uploads/2011/06/weird-beard.jpg">reality warp</a><br />
that comes with wrestling technically complex issues, engagements, or investigations for prolonged time periods. While it may not be fair, employers expect and value that even if you<br />
have been huffin packet dumps and subsiding on <a class="externalLink" href="http://www.amazon.com/Glico-Biscuit-Sticks-Chocolate-2-82-Ounce/dp/B000HQPJ4Y" style="color: #0044bb;" target="_blank" title="External link to http://www.amazon.com/Glico-Biscuit-Sticks-Chocolate-2-82-Ounce/dp/B000HQPJ4Y">pocky sticks</a> and energy drinks for a week that you can still retain the ability to speak "human" to your customers and to senior leadership. Go figure...<br />
<h4 style="color: #884411; font-size: 1em; margin-top: 1em;">
#2: Education Is Important <u>AND</u> Work Experience Is Essential</h4>
Almost all of the Information Security positions list a Bachelor's degree as a minimum requirement for eligibility, but beyond this the lion's share of your value to potential employers hinges on the<br />
years of relevant experience you've had in some role within IS. The clear message here is that employers desire educated IS professionals with real world experience. You shouldn't expect to<br />
come right out of school and get a job unless you have professional experience and achievements that clearly demonstrate your proficiencies.<br />
For this reason, internships are highly recommended way for students to couple education with "in the trenches" IS challenges.<br />
<h4 style="color: #884411; font-size: 1em; margin-top: 1em;">
#3: CISSP UBER ALLES</h4>
I'm going to avoid the "<a class="externalLink" href="http://www.veracode.com/blog/2008/04/not-a-cissp/" style="color: #0044bb;" target="_blank" title="External link to http://www.veracode.com/blog/2008/04/not-a-cissp/">CISSP certification debate</a>" here. For better or worse, the findings of this review reinforce that CISSP is clearly the de facto IS certification regarded by employers as<br />
offering professional "bona fides". It's obvious that having this certification can open doors in several IS job roles that otherwise might be closed by HR resume bots. One of the reasons for such<br />
universal regard of CISSP is that you have to at least 5 years of working experience in IS roles (or equivalent education, certification, + experience) to <a class="externalLink" href="https://www.isc2.org/cissp/default.aspx" style="color: #0044bb;" target="_blank" title="External link to https://www.isc2.org/cissp/default.aspx">qualify to take the exam</a> (experience again).<br />
If you already meet the requirements for eligibility to sit for the CISSP, its pretty clear that there are some substantial hiring benefits for taking the time to achieve this credential.<br />
<h4 style="color: #884411; font-size: 1em; margin-top: 1em;">
#4: Programming Isn't Just For Programmers</h4>
Another finding lurking in the aggregate data is that employers clearly value and place emphasis on Information Security Professionals who can offer scripting and programming experience. One<br />
reason for this importance may be the growing critical role of AppSec for many organizations. Having security professionals on staff who can speak "apples to apples" with developers presents<br />
considerable value towards not only identifying risks/problems but also participating in the fix.<br />
<h4 style="color: #884411; font-size: 1em; margin-top: 1em;">
#5: Security Clearance Gateway</h4>
The large need for high-quality security services within the federal sphere really is driving valuation for more professionals with top secret or higher clearances. Achieving these clearances often<br />
involves extensive background review that can take several months. As a result, those who already have the necessary clearances are very valuable to employers who serve federal customers.<br />
<h3 style="border-bottom-color: rgb(204, 204, 204); border-bottom-style: solid; border-bottom-width: 1px; color: #884411; font-size: 1.1em; margin-bottom: 0.3em; margin-top: 1.2em; padding-bottom: 1px;">
Conclusion</h3>
If you are considering a career in Information Security, then it helps to realize that the field is very specialized and the total body of knowledge represented by the varied job roles is greater than any<br />
one person can master in a lifetime. Therefore there is real value to be able to focus your efforts on those skills, knowledge, and aptitutdes that give you the greatest flexibility, opportunities,<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
and satisfication. Also remember, that the <a class="externalLink" href="http://www.amazon.com/Typewriter-Repair-Mjavascript:;anual-Howard-Hutchison/dp/0830613366" style="color: #0044bb;" target="_blank" title="External link to http://www.amazon.com/Typewriter-Repair-Mjavascript:;anual-Howard-Hutchison/dp/0830613366">skills of yesterday</a> may not be the skills of tomorrow. You need to integrate continual learning into your daily habits.<br />
<a class="externalLink" href="http://goo.gl/Yw9Ri" style="color: #0044bb;" target="_blank" title="External link to http://goo.gl/Yw9Ri">Learn something new</a> within your field everyday!<br />
<div class="separator" style="clear: both; text-align: center;">
<script src="//ajax.googleapis.com/ajax/static/modules/gviz/1.0/chart.js" type="text/javascript"> {"dataSourceUrl":"//docs.google.com/spreadsheet/tq?key=0Ahi9naEYPVPIdHNpS2loZ2NTOEN1NUE4NVM4RVVUTmc&transpose=0&headers=0&range=A2%3AB205&gid=3&pub=1","options":{"vAxes":[{"useFormatFromData":true,"viewWindowMode":"pretty","viewWindow":{}},{"useFormatFromData":true,"viewWindowMode":"pretty","viewWindow":{}}],"titleTextStyle":{"bold":true,"color":"#000000","fontSize":"20"},"pieHole":0.5,"booleanRole":"certainty","title":"Security Analyst","legendTextStyle":{"color":"#222","fontSize":"10"},"animation":{"duration":0},"colors":["#3366CC","#DC3912","#FF9900","#109618","#990099","#0099C6","#DD4477","#66AA00","#B82E2E","#316395","#994499","#22AA99","#AAAA11","#6633CC","#E67300","#8B0707","#651067","#329262","#5574A6","#3B3EAC","#B77322","#16D620","#B91383","#F4359E","#9C5935","#A9C413","#2A778D","#668D1C","#BEA413","#0C5922","#743411"],"is3D":false,"pieSliceText":"none","hAxis":{"useFormatFromData":true,"viewWindowMode":"pretty","viewWindow":{}},"pieSliceTextStyle":{"fontSize":"7"},"width":548,"height":389},"state":{},"isDefaultVisualization":true,"chartType":"PieChart","chartName":"Chart 2"} </script>
<script src="//ajax.googleapis.com/ajax/static/modules/gviz/1.0/chart.js" type="text/javascript"> {"dataSourceUrl":"//docs.google.com/spreadsheet/tq?key=0Ahi9naEYPVPIdHNpS2loZ2NTOEN1NUE4NVM4RVVUTmc&transpose=0&headers=1&range=A1%3AB239&gid=7&pub=1","options":{"titleTextStyle":{"bold":true,"color":"#000","fontSize":"20"},"vAxes":[{"useFormatFromData":true,"viewWindowMode":"pretty","viewWindow":{}},{"useFormatFromData":true,"viewWindowMode":"pretty","viewWindow":{}}],"pieHole":0.5,"title":"Forensic Analyst","booleanRole":"certainty","legendTextStyle":{"color":"#222","fontSize":"10"},"animation":{"duration":0},"colors":["#3366CC","#DC3912","#FF9900","#109618","#990099","#0099C6","#DD4477","#66AA00","#B82E2E","#316395","#994499","#22AA99","#AAAA11","#6633CC","#E67300","#8B0707","#651067","#329262","#5574A6","#3B3EAC","#B77322","#16D620","#B91383","#F4359E","#9C5935","#A9C413","#2A778D","#668D1C","#BEA413","#0C5922","#743411"],"is3D":false,"pieSliceText":"none","hAxis":{"useFormatFromData":true,"viewWindowMode":"pretty","viewWindow":{}},"width":548,"height":389},"state":{},"isDefaultVisualization":true,"chartType":"PieChart","chartName":"Chart 3"} </script>
<script src="//ajax.googleapis.com/ajax/static/modules/gviz/1.0/chart.js" type="text/javascript"> {"dataSourceUrl":"//docs.google.com/spreadsheet/tq?key=0Ahi9naEYPVPIdHNpS2loZ2NTOEN1NUE4NVM4RVVUTmc&transpose=0&headers=0&range=A2%3AB106&gid=0&pub=1","options":{"titleTextStyle":{"bold":true,"color":"#000000","fontSize":"20"},"legendTextStyle":{"color":"#222","fontSize":"10"},"animation":{"duration":0},"backgroundColor":"#ffffff","colors":["#3366CC","#DC3912","#FF9900","#109618","#990099","#0099C6","#DD4477","#66AA00","#B82E2E","#316395","#994499","#22AA99","#AAAA11","#6633CC","#E67300","#8B0707","#651067","#329262","#5574A6","#3B3EAC","#B77322","#16D620","#B91383","#F4359E","#9C5935","#A9C413","#2A778D","#668D1C","#BEA413","#0C5922","#743411"],"width":548,"is3D":false,"pieSliceText":"label","hAxis":{"useFormatFromData":true,"viewWindowMode":"pretty","viewWindow":{}},"vAxes":[{"useFormatFromData":true,"viewWindowMode":"pretty","viewWindow":{}},{"useFormatFromData":true,"viewWindowMode":"pretty","viewWindow":{}}],"pieHole":0.5,"title":"Security Researcher ","booleanRole":"certainty","height":389,"legend":"right"},"state":{},"isDefaultVisualization":true,"chartType":"PieChart","chartName":"Chart 1"} </script>
<script src="//ajax.googleapis.com/ajax/static/modules/gviz/1.0/chart.js" type="text/javascript"> {"dataSourceUrl":"//docs.google.com/spreadsheet/tq?key=0Ahi9naEYPVPIdHNpS2loZ2NTOEN1NUE4NVM4RVVUTmc&transpose=0&headers=1&range=A1%3AB248&gid=5&pub=1","options":{"titleTextStyle":{"bold":true,"color":"#000000","fontSize":"20"},"legendTextStyle":{"color":"#222","fontSize":"10"},"animation":{"duration":0},"colors":["#3366CC","#DC3912","#FF9900","#109618","#990099","#0099C6","#DD4477","#66AA00","#B82E2E","#316395","#994499","#22AA99","#AAAA11","#6633CC","#E67300","#8B0707","#651067","#329262","#5574A6","#3B3EAC","#B77322","#16D620","#B91383","#F4359E","#9C5935","#A9C413","#2A778D","#668D1C","#BEA413","#0C5922","#743411"],"is3D":false,"pieSliceText":"none","hAxis":{"useFormatFromData":true,"viewWindowMode":"pretty","viewWindow":{}},"vAxes":[{"useFormatFromData":true,"viewWindowMode":"pretty","viewWindow":{}},{"useFormatFromData":true,"viewWindowMode":"pretty","viewWindow":{}}],"pieHole":0.5,"pieSliceBorderColor":"#ffffff","title":"Penetration Tester","booleanRole":"certainty","legend":"right","pieSliceTextStyle":{"fontSize":"10"},"width":548,"height":389},"state":{},"isDefaultVisualization":true,"chartType":"PieChart","chartName":"Chart 3"} </script>
<script src="//ajax.googleapis.com/ajax/static/modules/gviz/1.0/chart.js" type="text/javascript"> {"dataSourceUrl":"//docs.google.com/spreadsheet/tq?key=0Ahi9naEYPVPIdHNpS2loZ2NTOEN1NUE4NVM4RVVUTmc&transpose=0&headers=0&range=A1%3AB286&gid=8&pub=1","options":{"titleTextStyle":{"bold":true,"color":"#000","fontSize":"20"},"legendTextStyle":{"color":"#000000","fontSize":"10"},"animation":{"duration":0},"backgroundColor":"#ffffff","colors":["#3366CC","#DC3912","#FF9900","#109618","#990099","#0099C6","#DD4477","#66AA00","#B82E2E","#316395","#994499","#22AA99","#AAAA11","#6633CC","#E67300","#8B0707","#651067","#329262","#5574A6","#3B3EAC","#B77322","#16D620","#B91383","#F4359E","#9C5935","#A9C413","#2A778D","#668D1C","#BEA413","#0C5922","#743411"],"is3D":false,"pieSliceText":"none","hAxis":{"useFormatFromData":true,"viewWindowMode":"pretty","viewWindow":{}},"vAxes":[{"useFormatFromData":true,"viewWindowMode":"pretty","viewWindow":{}},{"useFormatFromData":true,"viewWindowMode":"pretty","viewWindow":{}}],"pieHole":"0.5","title":"Information Security Officer","booleanRole":"certainty","pieSliceBorderColor":"#073763","width":548,"height":389},"state":{},"isDefaultVisualization":true,"chartType":"PieChart","chartName":"Chart 4"} </script>
</div>
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />
<br />
<br />
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-114124230733856093.post-61088924558990543032012-07-10T12:02:00.000-07:002013-04-30T12:06:25.810-07:00Portable Encrypted Storage <br />
<div class="title" style="color: #884411; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 16px; font-weight: bold;">
<br /></div>
<div class="viewer" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 1.4em; padding-top: 0.5em;">
<br />
<img align="right" src="http://t3.gstatic.com/images?q=tbn:ANd9GcT8zRz612y6PtmAqd6jgEe1z5aLlESHtZp_xzB-jCDTQ63OpJ7U" />Native Android encryption presents some limitations when you want to easily and securely exchange your data to your PC.<br />
However, using <a class="externalLink" href="http://www.truecrypt.org/" style="color: #0044bb;" target="_blank" title="External link to http://www.truecrypt.org/">Truecrypt</a> you can easily set most Android smartphones to act as encrypted mobile storage devices.<br />
Why bother with those easy to lose and rarely encrypted USB Flash Drives when you always have your smartphone with you?<br />
<br />
<u>What You Will Need</u><br />
Personal Computer. (Windows, Linux, OSX, BSD ..doesn't matter)<br />
Android smartphone or mobile device that accepts MicroSD storage and has a USB connector.<br />
Decently size MicroSD storage card (the larger the better).<br />
<a class="externalLink" href="http://www.truecrypt.org/downloads/" style="color: #0044bb;" target="_blank" title="External link to http://www.truecrypt.org/downloads/">TrueCrypt Software</a><br />
Some basic knowledge of setting up partitions on <a class="externalLink" href="http://windows.microsoft.com/en-us/windows-vista/Create-and-format-a-hard-disk-partition" style="color: #0044bb;" target="_blank" title="External link to http://windows.microsoft.com/en-us/windows-vista/Create-and-format-a-hard-disk-partition">Windows</a>, <a class="externalLink" href="http://tldp.org/HOWTO/Partition/fdisk_partitioning.html" style="color: #0044bb;" target="_blank" title="External link to http://tldp.org/HOWTO/Partition/fdisk_partitioning.html">Linux</a>, <a class="externalLink" href="http://support.apple.com/kb/PH3914" style="color: #0044bb;" target="_blank" title="External link to http://support.apple.com/kb/PH3914">OSX</a>, or BSD.<br />
<br />
<u>Step #1 - Backup Your Data!</u><br />
If you have any data that you don't want to risk losing, you need to backup it up off your mobile device's MicroSD" card.<br />
If this data is protected with native Android encryption you will first need to decrypt it.<br />
<br />
<u>Step #2 - Wipe The MicroSD Partition Table</u><br />
Connect your mobile device via USB to your computer and fire up your favorite partitioning tool.<br />
Using this tool, first remove all partitions off the storage device that respresents the MicroSD storage card within the device.<br />
<br />
<u>Step #3 - Set Up partition for your Android Device</u><br />
Next, we'll want to set up a partition that the mobile device can use.<br />
You want to size this partition to be enough for basic use but also leave enough remaining space on the storage media for your encrypted storage needs.<br />
Since I have a 32GB MicroSD card, I have chosen to slice off 8GB for my phone.<br />
This first partition needs to be formatted as a FAT partition to ensure compatabilitiy with your Android device.<br />
<br />
<u>Step #4 - Set Up partition for encrypted Truecrypt volume</u><br />
Now add a second partition that covers the remaining space on your storage media.<br />
<br />
After you've done this your partition layout should look something like this:<br />
<br />
<img src="http://jameswebb.me/blog/images/smartphone_portable_encrypted_storage_1.jpg" height="235" width="400" /><br />
<br />
<u>Step #5 </u><br />
With your new partition table in place, you can now fire up Truecrypt to use the second partition an encrypted volume.<br />
<br />
Select <strong>Create a volume within a partition/drive.</strong><br />
<img src="http://jameswebb.me/blog/images/smartphone_portable_encrypted_storage_2.jpg" /><br />
<br />
Make sure to select the second partition that you created on your Android internal storage media.<br />
<strong>Make a mistake here and you can wipe your data. Be careful!</strong><br />
<img src="http://jameswebb.me/blog/images/smartphone_portable_encrypted_storage_3.jpg" height="90" width="400" /><br />
<br />
Follow instructions to set up a password and select the encryption and hashing algorithm you wish to use for your encrypted volume.<br />
<strong>Note: Make sure that your password is strong!!</strong><br />
After TrueCrypt has finished setting up the encrypted volume on your partition you will be able to access it.<br />
Simply select the appropriate encrypted device partition (sdd2 in this example) and input your passphrase to mount the drive on your PC.<br />
<img src="http://jameswebb.me/blog/images/smartphone_portable_encrypted_storage_6.jpg" /><br />
<br />
<img src="http://jameswebb.me/blog/images/smartphone_portable_encrypted_storage_7.jpg" /><br />
Voila! You now have convenient portable encrypted storage that goes where you go<br />
.</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-114124230733856093.post-38791994353130726442012-06-29T12:09:00.000-07:002014-01-25T18:39:51.663-08:00Free InfoSec Training Resources<br />
<div class="viewer" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 1.4em; padding-top: 0.5em;">
<br />
<img align="right" src="https://encrypted-tbn3.google.com/images?q=tbn:ANd9GcQ2PqP_vpMuLs0GMA2BOSLP6d--ldTLCg4BsyvXZrZYKGIx30dAdw" /><br />
<span style="background-color: white;"><span style="font-size: small; line-height: normal;">Whether you are a seasoned professional or someone just getting started in Information Security, </span><span style="font-size: small; line-height: normal;">there probably has never been a better time for developing or honing your skills for little or no expense. </span><span style="font-size: small; line-height: normal;">This is due to the many free online resources like</span><span style="font-size: small; line-height: normal;"> </span><a class="externalLink" href="http://en.wikipedia.org/wiki/Open_courseware" style="color: #0044bb; font-size: medium; line-height: normal;" target="_blank" title="External link to http://en.wikipedia.org/wiki/Open_courseware">OpenCourseware</a><span style="font-size: small; line-height: normal;"> </span><span style="font-size: small; line-height: normal;">and intructional videos that have been</span><span style="font-size: small; line-height: normal;"> </span><br style="font-size: medium; line-height: normal;" /><span style="font-size: small; line-height: normal;">released in recent years. </span></span><br />
<span style="background-color: white;"><span style="font-size: small; line-height: normal;"><br /></span></span>
<span style="background-color: white;"><span style="font-size: small; line-height: normal;">The list below represents materials that I've either used or have stumbled upon.</span><br style="font-size: medium; line-height: normal;" /><span style="font-size: small; line-height: normal;"><br /></span></span><br />
<span style="background-color: white;"><span style="font-size: small; line-height: normal;">I do update this list periodically, so feel free to let me know if you spot a good training resource.</span></span><br />
<span style="background-color: white;"><br style="font-size: medium; line-height: normal;" /><br style="font-size: medium; line-height: normal;" /><span style="font-size: small; line-height: normal;">Now go learn something!</span></span><br />
<h2 style="border-bottom-color: rgb(204, 204, 204); border-bottom-style: solid; border-bottom-width: 1px; color: #884411; font-size: 1.25em; margin-bottom: 0.3em; margin-top: 1.2em; padding-bottom: 1px;">
Full Courses / Lecture Videos</h2>
<table class="twtable" style="border-collapse: collapse; border: 2px solid rgb(102, 102, 102); margin: 0.8em 1em;"><thead>
<tr class="evenRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="background-color: #2b7ea6; background-position: initial initial; background-repeat: initial initial; border: 1px solid rgb(102, 102, 102); color: white; padding: 3px;">Subject Matter</td><td align="center" style="background-color: #2b7ea6; background-position: initial initial; background-repeat: initial initial; border: 1px solid rgb(102, 102, 102); color: white; padding: 3px;">Title of Material</td><td align="center" style="background-color: #2b7ea6; background-position: initial initial; background-repeat: initial initial; border: 1px solid rgb(102, 102, 102); color: white; padding: 3px;">Comment</td></tr>
</thead><tbody>
<tr class="oddRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="right" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Certification - Security+</td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><a class="externalLink" href="http://www.professormesser.com/free-comptia-security-training/security-plus-videos/" style="color: #0044bb;" target="_blank" title="External link to http://www.professormesser.com/free-comptia-security-training/security-plus-videos/">ProfessorMesser's Free Security+ Training Course</a></td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Cover at high level broad Security+ topic areas</td></tr>
<tr class="evenRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Cryptography</td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><a class="externalLink" href="http://www.udacity.com/overview/Course/cs387" style="color: #0044bb;" target="_blank" title="External link to http://www.udacity.com/overview/Course/cs387">Udacity: Applied Cryptrogaphy</a></td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Advanced Course into Math behind modern cryptographic systems</td></tr>
<tr class="oddRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Exploit Research</td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><a class="externalLink" href="http://www.securitytube.net/groups?operation=view&groupId=7" style="color: #0044bb;" target="_blank" title="External link to http://www.securitytube.net/groups?operation=view&groupId=7">Security Tube: Exploit Research Megaprimer</a></td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Delves into some fundamental software vulnerabilites and attack methods.</td></tr>
<tr class="evenRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Forensics</td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><a class="externalLink" href="http://www.writeblocked.org/index.php/dfironline.html" style="color: #0044bb;" target="_blank" title="External link to http://www.writeblocked.org/index.php/dfironline.html">Write Blocked: DFIROnline</a></td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Video archive of monthly online meeting of digital forensic and incident response professionals.</td></tr>
<tr class="oddRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Intrusion Detection</td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><a class="externalLink" href="http://iase.disa.mil/eta/ids/launchPage.htm" style="color: #0044bb;" target="_blank" title="External link to http://iase.disa.mil/eta/ids/launchPage.htm">DOD - IDS Analysis (Pt1)</a></td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Introduction to IDS, alerts, and false positives.</td></tr>
<tr class="evenRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Intrusion Detection</td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><a class="externalLink" href="http://iase.disa.mil/eta/ids-part2/ids_part2/launchpage.htm" style="color: #0044bb;" target="_blank" title="External link to http://iase.disa.mil/eta/ids-part2/ids_part2/launchpage.htm">DOD - IDS Analysis (Pt2)</a></td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Lessons on Packet Sniffing, Client Side Attacks, Botnets, and Traffic Analysis.</td></tr>
<tr class="oddRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Penetrating Testing</td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><a class="externalLink" href="http://pentest.cryptocity.net/" style="color: #0044bb;" target="_blank" title="External link to http://pentest.cryptocity.net/">Dan Guido: Penetration Testing and Vulnerability Analysis</a></td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Amazing lectures and materials by leaders in Appsec and Vuln. Research.</td></tr>
<tr class="evenRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Penetration Testing</td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><a class="externalLink" href="http://www.securitytube.net/groups?operation=view&groupId=10" style="color: #0044bb;" target="_blank" title="External link to http://www.securitytube.net/groups?operation=view&groupId=10 ">SecurityTube: Metasploit Framework Expert Course Material</a></td><td align="left" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Overview of Metasploit Framework as well as info on researching and integrating new attacks into MSF.</td></tr>
<tr class="oddRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Programming</td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><a class="externalLink" href="http://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-00-introduction-to-computer-science-and-programming-fall-2008/video-lectures/" style="color: #0044bb;" target="_blank" title="External link to http://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-00-introduction-to-computer-science-and-programming-fall-2008/video-lectures/">MIT: Introduction to Computer Science and Programming</a></td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Good intro into fundamental CS concepts and coding in Python.</td></tr>
<tr class="evenRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Programming</td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><a class="externalLink" href="http://www.securitytube.net/groups?operation=view&groupId=11" style="color: #0044bb;" target="_blank" title="External link to http://www.securitytube.net/groups?operation=view&groupId=11">SecurityTube: Python Scripting Expert</a></td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Getting off the ground..not mand vids yet.</td></tr>
<tr class="oddRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Programming</td><td align="right" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><a class="externalLink" href="http://www.securitytube.net/groups?operation=view&groupId=5" style="color: #0044bb;" target="_blank" title="External link to http://www.securitytube.net/groups?operation=view&groupId=5">SecurityTube: Linux Assembly Language Megaprimer</a></td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Learn Assembly (x86) fundamentals within Linux</td></tr>
<tr class="evenRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Programming</td><td align="right" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><a class="externalLink" href="http://www.securitytube.net/groups?operation=view&groupId=6" style="color: #0044bb;" target="_blank" title="External link to http://www.securitytube.net/groups?operation=view&groupId=6">SecurityTube: Windows Assembly Language Megaprimer</a></td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Learn Assembly (x86) fundamentals within Windows</td></tr>
<tr class="oddRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Wireless Security</td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><a class="externalLink" href="http://www.securitytube.net/groups?operation=view&groupId=9" style="color: #0044bb;" target="_blank" title="External link to http://www.securitytube.net/groups?operation=view&groupId=9">SecurityTube: Wi-Fi Security Expert Course Materials</a></td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Great course into Wifi fundamentals, weaknesses, and attack vectors</td></tr>
<tr class="evenRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Varied</td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><a class="externalLink" href="https://www.coursera.org/category/cs-systems" style="color: #0044bb;" target="_blank" title="External link to https://www.coursera.org/category/cs-systems ">Coursera Online Lectures</a></td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">University Lecture Series on System,Security, and Networking</td></tr>
</tbody></table>
<h2 style="border-bottom-color: rgb(204, 204, 204); border-bottom-style: solid; border-bottom-width: 1px; color: #884411; font-size: 1.25em; margin-bottom: 0.3em; margin-top: 1.2em; padding-bottom: 1px;">
Ebooks / Free Docs</h2>
<table class="twtable" style="border-collapse: collapse; border: 2px solid rgb(102, 102, 102); margin: 0.8em 1em;"><thead>
<tr class="evenRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="background-color: #2b7ea6; background-position: initial initial; background-repeat: initial initial; border: 1px solid rgb(102, 102, 102); color: white; padding: 3px;">Subject Matter</td><td align="center" style="background-color: #2b7ea6; background-position: initial initial; background-repeat: initial initial; border: 1px solid rgb(102, 102, 102); color: white; padding: 3px;">Title of Material</td><td align="center" style="background-color: #2b7ea6; background-position: initial initial; background-repeat: initial initial; border: 1px solid rgb(102, 102, 102); color: white; padding: 3px;">Comment</td></tr>
</thead><tbody>
<tr class="oddRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Forensics</td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><a class="externalLink" href="http://www.ncjrs.gov/pdffiles1/nij/199408.pdf" style="color: #0044bb;" target="_blank" title="External link to http://www.ncjrs.gov/pdffiles1/nij/199408.pdf">DOJ - Forensic Examination of Digital Evidence</a></td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">High-level DOJ book on Computer Forensic Examination For US Law Enforcement.</td></tr>
<tr class="evenRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Penetration Testing</td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><a class="externalLink" href="http://www.offensive-security.com/metasploit-unleashed/Main_Page" style="color: #0044bb;" target="_blank" title="External link to http://www.offensive-security.com/metasploit-unleashed/Main_Page ">Offensive Computer: Metasploit Unleashed</a></td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Great primer on all things Metasploit. Always seems up-to-date.</td></tr>
<tr class="oddRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Varied</td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><a class="externalLink" href="http://csrc.nist.gov/" style="color: #0044bb;" target="_blank" title="External link to http://csrc.nist.gov/">NIST Computer Security Division</a></td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">NIST guidelines and standards publications covering several major areas of computer security.</td></tr>
<tr class="evenRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Varied</td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><a class="externalLink" href="http://www.sans.org/reading_room/" style="color: #0044bb;" target="_blank" title="External link to http://www.sans.org/reading_room/">SANS Reading Room</a></td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Huge collection of papers from SANS "Gold" certificate holders. Lot's of cool material / projects.</td></tr>
</tbody></table>
<br />
<h2 style="border-bottom-color: rgb(204, 204, 204); border-bottom-style: solid; border-bottom-width: 1px; color: #884411; font-size: 1.25em; margin-bottom: 0.3em; margin-top: 1.2em; padding-bottom: 1px;">
Labs / Challenges / Hands On</h2>
<table class="twtable" style="border-collapse: collapse; border: 2px solid rgb(102, 102, 102); margin: 0.8em 1em;"><thead>
<tr class="evenRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="background-color: #2b7ea6; background-position: initial initial; background-repeat: initial initial; border: 1px solid rgb(102, 102, 102); color: white; padding: 3px;">Subject Matter</td><td align="center" style="background-color: #2b7ea6; background-position: initial initial; background-repeat: initial initial; border: 1px solid rgb(102, 102, 102); color: white; padding: 3px;">Title Of Material</td><td align="center" style="background-color: #2b7ea6; background-position: initial initial; background-repeat: initial initial; border: 1px solid rgb(102, 102, 102); color: white; padding: 3px;">Comment</td></tr>
</thead><tbody>
<tr class="oddRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Forensics (Network)</td><td align="right" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><a class="externalLink" href="http://forensicscontest.com/" style="color: #0044bb;" target="_blank" title="External link to http://forensicscontest.com/">Network Forensic Challenge</a></td><td align="right" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Great quizzes by <a class="externalLink" href="http://lmgsecurity.com/" style="color: #0044bb;" target="_blank" title="External link to http://lmgsecurity.com/">LMGsecurity</a> team. Most of the fun I had at Defcon was due to these folks.</td></tr>
<tr class="evenRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Forensics</td><td align="right" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><a class="externalLink" href="http://www.dc3.mil/challenge/" style="color: #0044bb;" target="_blank" title="External link to http://www.dc3.mil/challenge/">DC3 Forensic Challenges</a></td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Defense Cyber Crime Center Forensic Challenges and Competitions.</td></tr>
<tr class="oddRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Web Application Security</td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><a class="externalLink" href="http://www.hackthissite.org/" style="color: #0044bb;" target="_blank" title="External link to http://www.hackthissite.org/">HackThis Site!</a></td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Learn through direct online challenges and mock-ups.</td></tr>
<tr class="evenRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Varied</td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><a class="externalLink" href="http://securityoverride.org/challenges/" style="color: #0044bb;" target="_blank" title="External link to http://securityoverride.org/challenges/">Security Overide</a></td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Large assemblage of hacking challenges with progressive levels across different domains.</td></tr>
</tbody></table>
<br />
<h2 style="border-bottom-color: rgb(204, 204, 204); border-bottom-style: solid; border-bottom-width: 1px; color: #884411; font-size: 1.25em; margin-bottom: 0.3em; margin-top: 1.2em; padding-bottom: 1px;">
Magazines / Zines</h2>
<table class="twtable" style="border-collapse: collapse; border: 2px solid rgb(102, 102, 102); margin: 0.8em 1em;"><thead>
<tr class="evenRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="background-color: #2b7ea6; background-position: initial initial; background-repeat: initial initial; border: 1px solid rgb(102, 102, 102); color: white; padding: 3px;">Title of Material</td><td align="center" style="background-color: #2b7ea6; background-position: initial initial; background-repeat: initial initial; border: 1px solid rgb(102, 102, 102); color: white; padding: 3px;">Comments</td></tr>
</thead><tbody>
<tr class="oddRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><a class="externalLink" href="http://magazine.hitb.org/" style="color: #0044bb;" target="_blank" title="External link to http://magazine.hitb.org/ ">HITB Magazine</a></td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Hack In the Box Magazine - Various Technical Security Articles</td></tr>
<tr class="evenRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><a class="externalLink" href="https://hackbloc.org/zine" style="color: #0044bb;" target="_blank" title="External link to https://hackbloc.org/zine ">Hack This Zine</a></td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Computer Security, Privacy, Open Source Software</td></tr>
<tr class="oddRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><a class="externalLink" href="http://phrack.org/" style="color: #0044bb;" target="_blank" title="External link to http://phrack.org">Phrack</a></td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Venerable Zine of the Computer Underground.</td></tr>
<tr class="evenRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><a class="externalLink" href="http://www.scmagazine.com/issuearchive/" style="color: #0044bb;" target="_blank" title="External link to http://www.scmagazine.com/issuearchive/ ">SC Magazine Archive</a></td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Issue Archive for SC Magazine</td></tr>
</tbody></table>
<br />
<h2 style="border-bottom-color: rgb(204, 204, 204); border-bottom-style: solid; border-bottom-width: 1px; color: #884411; font-size: 1.25em; margin-bottom: 0.3em; margin-top: 1.2em; padding-bottom: 1px;">
Tutorials</h2>
<table class="twtable" style="border-collapse: collapse; border: 2px solid rgb(102, 102, 102); margin: 0.8em 1em;"><thead>
<tr class="evenRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="background-color: #2b7ea6; background-position: initial initial; background-repeat: initial initial; border: 1px solid rgb(102, 102, 102); color: white; padding: 3px;">Subject Matter</td><td align="center" style="background-color: #2b7ea6; background-position: initial initial; background-repeat: initial initial; border: 1px solid rgb(102, 102, 102); color: white; padding: 3px;">Title of Material</td><td align="center" style="background-color: #2b7ea6; background-position: initial initial; background-repeat: initial initial; border: 1px solid rgb(102, 102, 102); color: white; padding: 3px;">Comment</td></tr>
</thead><tbody>
<tr class="oddRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Lockpicking / Physical Penetration</td><td align="right" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><a class="externalLink" href="http://www.youtube.com/playlist?list=PL66CD42F86F3A1F85&feature=plcp" style="color: #0044bb;" target="_blank" title="External link to http://www.youtube.com/playlist?list=PL66CD42F86F3A1F85&feature=plcp">Basic operation and manipulation of Locks</a></td><td style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Series of short videos by Schuyler Towne on lockpicking concepts and techniques.</td></tr>
<tr class="evenRow" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Web Development</td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;"><a class="externalLink" href="http://http//www.w3schools.com/" style="color: #0044bb;" target="_blank" title="External link to http://http://www.w3schools.com/">W3Schools</a></td><td align="center" style="border: 1px solid rgb(102, 102, 102); padding: 3px;">Great tutorials on web-coding and foundation for understanding web-app security.</td></tr>
</tbody></table>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-114124230733856093.post-2233226064855300832011-02-11T11:40:00.000-08:002013-04-30T12:07:50.250-07:00Google Alerts For Security Monitoring<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglz8Zm-rqBUr_QoW0M7ZNTTmYEFC_-Huv77pfOp9r0ZJBWtl8F03uxCg-fnEY2uZtrLyV58PLuWT-Y4BlBYTvzxQVKwObwhCnDti4KYHktRRuD81MLu_AvJne19WoBjqcqWhJE4QEDwp8/s1600/alerts_logo_beta.gif" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img alt="" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglz8Zm-rqBUr_QoW0M7ZNTTmYEFC_-Huv77pfOp9r0ZJBWtl8F03uxCg-fnEY2uZtrLyV58PLuWT-Y4BlBYTvzxQVKwObwhCnDti4KYHktRRuD81MLu_AvJne19WoBjqcqWhJE4QEDwp8/s400/alerts_logo_beta.gif" id="BLOGGER_PHOTO_ID_5564732049358005746" style="cursor: hand; cursor: pointer; display: block; height: 40px; margin: 0px auto 10px; text-align: center; width: 175px;" /></a><br />
Google's web spider "Googlebot" crawl billions of pages on the Internet, tireless indexing content and meta-information. While this indexing operation fuels Google's overall search experience it also has some decent utility for security monitoring.<br />
<div>
<br /></div>
<div>
This is made possible by <a href="http://www.google.com/alerts">Google Alerts</a>, a free service that allows you to automate searches and receive email or rss notices for new search results. It is ALWAYS a good idea to do some "introspective" searches for your websites and setting up Google Alerts for this purpose is very easy (see link above); Here a brief list of some ways it can be employed:</div>
<div>
<br /></div>
<div>
<b>Detecting Spamdexing</b></div>
<div>
<a href="http://en.wikipedia.org/wiki/Spamdexing">Spamdexing</a> describes a variety of efforts that attackers can undertake to inject their links and text onto target servers to facilitate Blackhat SEO (search engine optimization). In these attacks, the attacker uses collections of often self-referring injected links to increase the page ranking of a master link-farm page. The end goal is to have the final link-farm page listed as high as possible in search engine search results to capture web-traffic and garner referral fees or to commit fraud.</div>
<div>
<br /></div>
<div>
Often blog/wiki spamming is used for these purposes, however Spamdexing is frequently also used after a compromise of a web-application (particularly some popular open source CMS systems) or associated hosting accounts which in turn are used for hosting injected content. Very frequently, the targeted keywords and phrases that are often used in Spamdexing SEO relate to purchasing "cheap goods" so it isn't hard to look for these as indicators of potential problems.</div>
<div>
<br /></div>
<div>
You can monitor for some for potential indication of a successful Spamdexing attack using Google Site Alerts couple with some basic searches. Here are some quick examples:</div>
<div>
<i><span class="Apple-style-span"><br /></span></i></div>
<div>
<span class="Apple-style-span"><i><b>site:mydomain.com viagra OR cialis OR levitra</b></i><i><span class="Apple-style-span"> </span> (<a href="http://www.google.com/search?q=site:.gov+%22buy+levitra%22+OR+%22buy+cialis%22+or+%22buy+viagra%22">click for example</a>)</i></span></div>
<div>
<span class="Apple-style-span"><span class="Apple-style-span"><i><b>site:mydomain.com buy windows OR buy office</b></i></span><i> (<a href="http://www.google.com/search?q=site:.gov+%22buy+levitra%22+OR+%22buy+cialis%22+or+%22buy+viagra%22#sclient=psy&hl=en&q=site:edu++%22buy+windows%22+%22buy+office%22&aq=f&aqi=&aql=&oq=&pbx=1&fp=52d2b201a2cf1179">click for example</a>)</i></span></div>
<div>
<br /></div>
<div>
Unfortunately, there is usually no shortage of sites that have been impacted by these types of attacks.</div>
<div>
<br /></div>
<div>
<b>Detecting Data Leaks</b></div>
<div>
Another easy and useful alert to key in on are the document types that may be visible to Google on your external facing web-sites. This is made possible through filetype searches. These searches help address the risk of potential information leaks that can occur if a user uploads materials to your public site that were not intended for public-disclosure. </div>
<div>
<br /></div>
<div>
Some useful searches in the area include:</div>
<div>
<i><span class="Apple-style-span"><b>site:mydomain.com filetype:docx</b></span></i></div>
<div>
<i><span class="Apple-style-span"><b>site:mydomain.com filetype:csv</b></span></i></div>
<div>
etc .... </div>
<div>
<br /></div>
<div>
Also if you have sensitive documents that have some unique textual content, then these can be used as a textual watermark for some searches to determine your organizations material that might have found their way onto internal/external web-pages or online document storage venues.</div>
<div>
<br /></div>
<div>
<b>Keeping An Eye Out For Blackhat SEO</b></div>
<div>
Another item that Google Alerts can assist with is detecting the presence of external web-sites that may be set up to attempt to draw in unsuspecting users who are searching for terms/topics related to your organization. Often automated SEO bots will search the Internet and collide keyword terms/topics in hopes of finding a combination that will result in a high page rank. A good way to keep an eye out for this is to set up alerts based on your organization's name, abbreviations, product lines etc... In addition to assisting with the detecting of Blackhat SEO methods, this always gives your security team some extremely valuable insight into link-structures, web postings, and other areas that may relate to your organization's web resources, data, and reputation.</div>
<div>
<br /></div>
<div>
These broad searches can generate a good bit of info so they have to be tailored, but the results can greatly assist in an overall environmental awareness of external web-development, posts, or methods that may have relevance to your security program.</div>
<div>
<br /></div>
<div>
<b>Vulnerability and Misconfig. Scanning</b></div>
<div>
Last but certainly not least, it is worth mentioning that Google Searches can of course also have some use for looking for known vulnerabilities or misconfiguration of Internet facing devices. The newly reborn <a href="http://www.exploit-db.com/google-hacking-database-reborn/">Google Hacking Database</a> has a lot of useful information of some "Google-Dork" security searches that can be useful.</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-114124230733856093.post-59645810883322834642010-12-17T08:27:00.000-08:002010-12-20T09:27:59.212-08:00GBooks N-Grams:Security Terms Over Time<div style="text-align: left;">Yesterday, Google released a<a href="http://ngrams.googlelabs.com/"> rather addictive tool</a> on GLabs that graphs the rate of occurrence of particular phrases in around 10% all books <u>ever</u> published in the a number of languages.</div><div><br /></div><div>It is interesting to see how some security topics/keywords have entered the mainstream (of written publications) or perhaps are leaving it. </div><div><br /></div><div style="text-align: center;"><b>Information Security vs Cyber Security vs Data Security vs etc...</b></div><div style="text-align: center;"><span class="Apple-style-span" style="color: rgb(0, 0, 238); -webkit-text-decorations-in-effect: underline; "><a href="http://ngrams.googlelabs.com/graph?content=computer+security,data+security,cyber+security,information+security,information+assurance&year_start=1970&year_end=2008&corpus=0&smoothing=1"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-owLCX_yt1x4jRaKWv5d4EDlOu3G_IWKBPDQyaoRcrbdL-pFZPU4v3I9d4J5zp8D8kzBkCCHDyrF-fS15BHlP4rKK71fJlXTcwADxSyJKnv-PX3Udb-tq5g3UGhuxKCmJ4zShLX6BD-E/s400/chart+%252812%2529.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5551742235902192754" style="display: block; margin-top: 0px; margin-right: auto; margin-bottom: 10px; margin-left: auto; text-align: center; cursor: pointer; width: 400px; height: 147px; " /></a></span></div><div><span class="Apple-style-span" style="color: rgb(0, 0, 238); -webkit-text-decorations-in-effect: underline; "><br /></span></div><div style="text-align: center;"><b>Malware vs Virus vs Trojan vs etc...</b></div><div><span class="Apple-style-span"><span class="Apple-style-span" style="-webkit-text-decorations-in-effect: underline; "><span class="Apple-style-span" style="color: rgb(0, 0, 238); -webkit-text-decorations-in-effect: underline; "></span></span></span></div><div style="text-align: center;"><span class="Apple-style-span" style="color: rgb(0, 0, 238); -webkit-text-decorations-in-effect: underline; "><a href="http://ngrams.googlelabs.com/graph?content=computer+virus,computer+worm,computer+trojan,malicious+software,malware,spyware&year_start=1970&year_end=2008&corpus=0&smoothing=1"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHy2Cax9fszcTReuGEhlgZxq3QKoupFoO9A9uxMS_pH4qiQYRgmN0_krqlPmysdEDUyeQlcH22hlPVa2hAHPnmOL_zrjIXnAiakRnsuJf0p-SGr2L4WAe1NxVCNRVDoDizVbsPaMOY0SQ/s400/chart+%25288%2529.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5551721324278078690" style="display: block; margin-top: 0px; margin-right: auto; margin-bottom: 10px; margin-left: auto; text-align: center; cursor: pointer; width: 400px; height: 147px; " /></a></span></div><div style="text-align: center;"><br /></div><div style="text-align: center;"><b>Identity Theft Advent.</b></div><div style="text-align: center;"><span class="Apple-style-span" style="color: rgb(0, 0, 238); -webkit-text-decorations-in-effect: underline; "><a href="http://ngrams.googlelabs.com/graph?content=identity+theft&year_start=1970&year_end=2008&corpus=0&smoothing=1"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlmrl77zw5W0iFLB0EyW2KGDVR5_lTxkt12-mNMjs_6vJlRuv8qXT4ePKkhXMvMkbg6SK1V1sq-bHdenIMYzXjKwL-sZfl9XyJzKlFzU_zT9QTvF9cE3j6tsArWGLPU4Txgs6wMxgvBBw/s400/chart+%252810%2529.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5551725678385271426" style="display: block; margin-top: 0px; margin-right: auto; margin-bottom: 10px; margin-left: auto; text-align: center; cursor: pointer; width: 400px; height: 147px; " /></a></span></div><div style="text-align: center;"><b><br /></b></div><div style="text-align: center;"><b>Just For Fun...</b></div><div style="text-align: center;"><span class="Apple-style-span" style="color: rgb(0, 0, 238); -webkit-text-decorations-in-effect: underline; "><a href="http://ngrams.googlelabs.com/graph?content=geek,nerd,dweeb,dork,poindexter&year_start=1970&year_end=2008&corpus=0&smoothing=1"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgz18WGu2OR9VUYeZRKHDfWc5YLuPIsedy9_UOb01Dqc6lTnnrDA__EzppGbtZIiJBA9EKKs206eSJqekwivcFlIkTOk-Cg5UthA59mSqk8wMJyIh4e8cqe-JRogYWtokbuugi7yR_0WRM/s400/chart+%252811%2529.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5551740481208636882" style="display: block; margin-top: 0px; margin-right: auto; margin-bottom: 10px; margin-left: auto; text-align: center; cursor: pointer; width: 400px; height: 147px; " /></a></span></div><div><br /></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-114124230733856093.post-32875690952542440262010-12-14T06:31:00.000-08:002011-02-15T12:21:02.114-08:00Gakwer Breach: The Problem With Passwords<span class="Apple-style-span"><div>The <a href="http://blogs.forbes.com/firewall/2010/12/13/the-lessons-of-gawkers-security-mess/" target="_blank">recent Gawker breach</a>, <a href="http://nakedsecurity.sophos.com/2010/12/13/acai-berry-spam-gawker-password-hack-twitter/" target="_blank">subsequent impacts</a>, and <a href="http://news.cnet.com/8301-27080_3-20025688-245.html?part=rss&subj=news&tag=2547-1_3-0-20" target="_blank">response measures</a> act as a reminder that continued reliance on out-dated authentication methods greatly enhances the threat of cascading security impacts.</div></span><span class="Apple-style-span"><br />Why so? Four basic reasons are at play:<br /><br />1. Users value and increasingly expect the convenience of using a prime email address as their account id when faced with a vast number of sites/resources that they wish to access.<br /><br />2. While some users do employ "cast-off" passwords for non-critical web-resources, the most pessimistic (and therefore <a href="http://www.securityweek.com/survey-reveals-how-stupid-people-are-their-passwords" target="_blank">most likely correct</a>) view is that a large percentage of users employ a "personal ubiquitous password" everywhere they can. This password is invariably weak and often easy to crack.<br /><br />3. With these ubiquitous passwords widely in use, the overall security of a collection of accounts can become transitive. It only takes one resource provider with lax security to jeopardize the entire chain.<br /><br />4. Last but definitely not least, continued reliance on archaic "what you know" single-factor authentication makes this all so much easier. The bar is so low there really isn't any mitigation of risk when faced with reality #1, #2, and #3 and a password dump incident.</span><div><span class="Apple-style-span"><br /><b><span class="Apple-style-span" style="font-weight: normal; "><b>Why Password Management Practices Are Poor</b></span><br /></b></span><div><span class="Apple-style-span"><b><span class="Apple-style-span" style="font-weight: normal; ">Users want a simple, easy, and secure method for accessing their online web resources that doesn't require that they have an eidetic memory or that they have to take time to learning mnemonic methods (i know..it isn't that hard but still...). The truth is that fear of losing/forgetting credentials is greater for most users/customers than their concern over the potential for their accounts to be breached. So lowering the future risk to end-users from large scale password dumps is really a challenge of lessing anxiety over forgetting passwords along with increasing awareness of end-game impacts from poor password management.</span><br /></b></span><div><div><span class="Apple-style-span"><br /></span></div><div><span class="Apple-style-span">Unfortunately, the latter stratagem of enhancing awareness and concern hasn't gotten us too far. In truth some elements of "security dogma" probably need to be <a href="http://www.schneier.com/blog/archives/2005/06/write_down_your.html" target="_blank">re-examined</a> and <a href="http://www.cerias.purdue.edu/site/blog/post/passwords-and-myth/" target="_blank">contextualized</a>. To move us forward, greater effort needs to be focused on placing pragmatic password management methods/tools alongside out-of-band backup/recovery options which ease concern over losing access to online resources through forgotten credentials. </span></div><div><span class="Apple-style-span"><br /></span></div><div><span class="Apple-style-span">When people are more comfortable with the idea that they aren't going to lock themselves out of their accounts, then adoption of better practices </span>can become a reality.</div></div></div></div>Unknownnoreply@blogger.com0