Get an EveryKey and forget all your passwords

An upcoming starter is revolutionizing how we manage our passwords and physical keys.  It combines wearable technology with security to provide users the ability to store and forget their passwords for most of the common daily used devices such as computers, phones, laptops, websites, as well as physical devices.

When the Everykey wristband is within range of a user’s device, the wristband will allow the user to bypass that device’s password or physically unlock it automatically, eliminating the need for complicated passwords and cumbersome keys.

This will be interesting to see how they develop and am sure will have many uses including in the corporate world.

http://www.everykey.com/index.html

High Profile Hacks of 2014

Time and time again, the hacking and ex-filtration of corporate data is still going unabated with the latest victim being one of the most important organizations for the internet infrastructure.  ICANN has just announced the hackers were able to infiltrate its systems via email phishing and were able to gain access to some of its systems including systems that contained its root zone information.

Prior to ICANN hacking incident, Sony suffered one of the worst breaches of the year and terabytes of data were ex-filtrated and posted online.  Below are some of the most prominent hacking incidents of the year 2014 in my opinion.  It goes without saying that these are just the ones who made it to the headlines and being reported on.  Most likely the number of unreported or undetected incidents will be far more than the ones which made news.

High Profile Hacks of 2014

  • ICANN Hacking – ICANN’s announcement of the incident.
  • Sony Hacking – An excellent Analysis of the event from the beginning.
  • Home Depot – Over 100 Million records stolen.
  • JP Morgan – Over 80 million customer and small business accounts compromised.
  • EBay – Over 145 million users affected.
  • Target – Over 100 million records stolen.
  • Apple’s iCloud Hacking – Many celebrities lost their personal files.
Tagged , , ,

Enabling remote access to PostgreSQL database server

This post is taken from Nixcraft website. I was trying to find out how to access the PostgresSQL DB used in Kali the penetration testing tool.

By default, PostgreSQL database server remote access disabled for security reasons. However, some time you need to provide the remote access to database server from home computer or from web server.

Step # 1: Login over ssh if server is outside your IDC

Login over ssh to remote PostgreSQL database server:
$ ssh user@remote.pgsql.server.com

Step # 2: Enable client authentication

Once connected, you need edit the PostgreSQL configuration file, edit the PostgreSQL configuration file /var/lib/pgsql/data/pg_hba.conf (or/etc/postgresql/8.2/main/pg_hba.conf for latest 8.2 version) using a text editor such as vi.

Login as postgres user using su / sudo command, enter:
$ su - postgres
Edit the file:
$ vi /var/lib/pgsql/data/pg_hba.conf
OR
$ vi /etc/postgresql/8.2/main/pg_hba.conf
Append the following configuration lines to give access to 10.10.29.0/24 network:
host all all 10.10.29.0/24 trust
Save and close the file. Make sure you replace 10.10.29.0/24 with actual network IP address range of the clients system in your own network.

Step # 2: Enable networking for PostgreSQL

You need to enable TCP / IP networking. Use either step #3 or #3a as per your PostgreSQL database server version.

Step # 3: Allow TCP/IP socket

If you are using PostgreSQL version 8.x or newer use the following instructions or skip toStep # 3a for older version (7.x or older).

You need to open PostgreSQL configuration file /var/lib/pgsql/data/postgresql.conf or /etc/postgresql/8.2/main/postgresql.conf.
# vi /etc/postgresql/8.2/main/postgresql.conf
OR
# vi /var/lib/pgsql/data/postgresql.conf
Find configuration line that read as follows:
listen_addresses='localhost'
Next set IP address(es) to listen on; you can use comma-separated list of addresses; defaults to ‘localhost’, and ‘*’ is all ip address:
listen_addresses='*'
Or just bind to 202.54.1.2 and 202.54.1.3 IP address
listen_addresses='202.54.1.2 202.54.1.3'
Save and close the file. Skip to step # 4.

Step #3a – Information for old version 7.x or older

Following configuration only required for PostgreSQL version 7.x or older. Open config file, enter:
# vi /var/lib/pgsql/data/postgresql.conf
Bind and open TCP/IP port by setting tcpip_socket to true. Set / modify tcpip_socket to true:
tcpip_socket = true
Save and close the file.

Step # 4: Restart PostgreSQL Server

Type the following command:
# /etc/init.d/postgresql restart

Step # 5: Iptables firewall rules

Make sure iptables is not blocking communication, open port 5432 (append rules to your iptables scripts or file /etc/sysconfig/iptables):

iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 10.10.29.50  --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 10.10.29.50 --sport 5432 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Restart firewall:
# /etc/init.d/iptables restart

Step # 6: Test your setup

Use psql command from client system. Connect to remote server using IP address 10.10.29.50 and login using vivek username and sales database, enter:
$ psql -h 10.10.29.50 -U vivek -d sales

Tagged ,

Regin (In Registry) Malware

Regin – In Reg

Security researchers are talking about a newly discovered malware with a possibility of being created years ago and with sophisticated capabilities of spying on its victims.  According to Symantec, the vicitms are spread across many countries, with most infections coming from Russia and Saudi Arabia.  Most researchers agree that the level of sophistication that has gone into developing this malware indicates that a nation state or states are behind it and the most likely suspects are the western intelligence agencies.

Encryption is used throughout the entire process starting from infecting the victim all the way to extracting sensitive information making the detection of this malware so far almost impossible.

Below are detailed analysis of this malware posted by Symantec and Kaspersky Lab.

Regin: Top-tier espionage tool enables stealthy surveillance

Regin: Nation-state ownage of GSM networks

Tagged , , ,

Bitmessage – Secure Email Communication

Encrypted Communication

Eric Snowden has revealed to the world how governments around the world, in particular the US government has access to most of internet data including all the major web email providers such as Google and Microsoft.  The access to the information is obtained either through a backdoor installed in their system or by forcing them to reveal the information.  Therefore we must assume that anything we do and say on the big wide internet can be viewed by someone whom we did not intend to share that information with.  Which means, our privacy on the internet can be easily compromised unless we take some necessary steps.  So how do users protect their privacy and communicate securely and privately on the internet?

There are a number of existing as well as upcoming technologies which have aimed at solving this issue.  For example, one technology that has been around for quiet sometime is pretty good privacy (PGP) developed by Phil Zimmerman in the early 90s. It is a technology used to sign and encrypt files, emails, and whole disks.

Bitmessage is a new email communication program based on peer to peer technology using block chains.  It does not centrally store messages but rather messages are processed on individual client computers.  Therefore there is no central entity that can be hacked or made to provide its data to others.

Bitmessage

Below is information from the homepage of this project.

Bitmessagelogo-reduced.png
Bitmessage

Bitmessage is a P2P communications protocol used to send encrypted messages to another person or to many subscribers. It is decentralized and trustless, meaning that you need-not inherently trust any entities like root certificate authorities. It uses strong authentication which means that the sender of a message cannot be spoofed, and it aims to hide “non-content” data, like the sender and receiver of messages, from passive eavesdroppers like those running warrantless wiretapping programs. If Bitmessage is completely new to you, you may wish to start by reading the whitepaper.

Download

An open source client is available for free under the very liberal MIT license. For screenshots and a description of the client, see this CryptoJunky article: “Setting Up And Using Bitmessage”.

Windows icon.png Download for Windows

Apple icon.png Download for OS X

Tux.png Run the source code

Source code

You may view the Python source code on Github. Bitmessage requires PyQt and OpenSSL. Step-by-step instructions on how to run the source code on Linux, Windows, or OSX is available here.

Security audit needed

Bitmessage is in need of an independent audit to verify its security. If you are a researcher capable of reviewing the source code, please email the lead developer. You will be helping to create a great privacy option for people everywhere!

Forum

Mininet

Mininet is an Open Source software developed for practicing and learning SDN concepts.  The content posted below is from their home page on their website and pretty much explains what Mininet is.

Mininet

Mininet creates a realistic virtual network, running real kernel, switch and application code, on a single machine (VM, cloud or native), in seconds, with a single command:

Because you can easily interact with your network using the Mininet CLI (and API), customize it, share it with others, or deploy it on real hardware, Mininet is useful for development, teaching, and research.

Mininet is also a great way to develop, share, and experiment with OpenFlow and Software-Defined Networking systems.

Mininet is actively developed and supported, and is released under a permissive BSD Open Source license. We encourage you to contribute code, bug reports/fixes, documentation, and anything else that can improve the system!
Tagged , ,

Bulk Changes Using VI / VIM

VI/M

VI or VIM (Vi IMproved) are text editors that are found in most *nix systems.  Today I came across a very simple but handy feature of these editors which can be used for bulk replacement of repetitive text within files.  It can be compared to the find and replace feature of most text editors such as notepad and Microsoft Word.

Usage

To use this feature, type the command “:%s/old_text/new_text/g” in the command mode of VI or VIM.  The command mode is accessed when you first open your editor or you can switch to it by pressing the “Esc” key on the keyboard. The “old_text” in the command is the text that you want to replace while the “new_text” will be the new text to replace the old one.  The “g” option makes the changes to all occurrences of the old text within the file.  If you want confirmation while doing the changes, then you can add the “c” option at the end by typing “:%s/old_text/new_text/gc“.

 

Example

For example i wanted to change a name of an access list in a particular firewall configuration as shown below.  The name appears 21 times in the configuration file.  This means, if i do it manually i have to type 21 times in order for the change to take effect.  I opened the file in VIM and then used the command to change the name from acl_apptest to acl-apptest_in.

Screenshot-2014-10-09_08.36.25

 

You can search the file by pressing “/” symbol and looking for the text.  In our case the when looking for the text “acl_apptest” the editor highlights all the instances of the text in the file.

Screenshot-2014-10-09_08.56.45

Then i use the command :%s/acl_apptest/acl_app_in/g to make the changes that i want.  As you can see below, the change is instance and all 21 occurrences are changed at once.

Screenshot-2014-10-09_08.37.10

Screenshot-2014-10-09_08.37.35

 

 

 

 

 

Bash Shell Vulnerability called Shellshock

A vulnerability in Unix-based operating systems using the command interpreter called Bourne-again shell or Bash has been discovered last week by an IT engineer named Stephane Chazelas taking the security world by storm.  The severity of the bug and the wide spread use of Bash has led mainstream newspapers such as BBC, CNN, Guardian, and so many prominent security bloggers and researchers to report on the story.  Social media is also rife with people discussing, commenting, showing concern, and even joking about it.

Bash exists on many operating systems, including embedded ones such as the ones running on Android phones, Wi-Fi routers, and even TVs, making the vulnerability widely spread and possibly the biggest in history.  The simplicity with which the vulnerability can be exploited has given the bug a critical severity with most vendors advising prompt patching.  If the bug is exploited by attackers, they can gain unauthorized information such as passwords and configuration files or can take over the system completely.

This looks like it is going to be a security nightmare for enterprises for many weeks to come as they rush to patch their vulnerable servers before the bad guys get to them.  With that said, it is time for me to go back and do the discovery of this dirty bug and put in the remediation strategies for our infrastructure.

Below are some resources on this topic:

Network Security Using TACACS – Part 2

Where to find TACACS+ server?

In the first part of this series, we had a brief introduction to the TACACS protocol and how it helps in centralizing and securing access to network devices.  This post will be a continuation and will be discussing the options we have available for implementing TACACS+ and will contain an example of how to use one of the free TACACS+ servers to implement the AAA functions we have talked about earlier.  In this post i will be using TACACS and TACACS+ interchangeably when referring to the protocol.

TACACS+ can be implemented using commercially available solutions such as Cisco’s widely deployed Access Control Server (ACS) or using freely available open-source implementations.  During my research, i found out that there are limited choices when it comes to TACACS+ software whether commercial or free as compared to other products.  Below i am posting the links to some of the sites i have come across for commercial solutions and open source or free implementations.

Commercial

Open Source/ Free

TACACS Demonstration

In this post, i have decided to try TACACS+ from TACACS.net installed on a Windows 7 machine for the simple reason of its simplicity and ease of installation and configuration.  The folks at TACACS.net have provided plenty of documentation on just about everything related to installation and configuration of their software.  I highly recommend reading the guides especially if advanced configurations are required.

For the client i have used a Cisco 1801 router since i have one at hand to play with.  The free open-source Cisco simulation software GNS or the virtual router Vyatta can also be used as a client if you can’t find a real router or switch for testing.  Below is a diagram showing the setup i have used for this post.

TACACS Implementation

The steps i have followed are downloading and installing the TACACS server on a windows 7 machine, configuring the TACACS server, configuring the Cisco 1801 router, testing authentication to the router via the TACACS server, and finally checking the accounting functionality of the TACACS server.  The TACACS users used for this test will be locally configured on the TACACS server again for the sake of simplicity.

TACACS Installation & Configuration

Installation

The installation of the TACACS server is a straight forward process made easy by an installation wizard.  Clicking through a few steps will get the software installed and ready for configuration.  During the installation, as shown below, we need to specify a pre-shared key that will be used between the TACACS server and the clients.  The purpose of this key is to encrypt the communication channel between the server and the client so that credentials are securely transmitted between the two.

Screenshot-2014-09-22_10.03.00

After the installation is complete, you can verify if the installation was correct in couple of ways. One way is by checking whether the TACACS service is installed and its status is running. The other way is to open a command prompt and use the ” netstat -abn” command to check if the server has opened a TCP port numbered 49 and is listening for connections.

Services-Tacacs

Netstat

Server Configuration

By default, the server is configured to use the localhost IP address 127.0.0.1 of the computer for accepting connections as shown above. We need to change this so that the server listens on the IP address required. Open the file “tacplus.xml” located in  %ALLUSERSPROFILE%\TACACS.net\config\ using notepad or wordpad and locate the “Local IP” section and change the IP to reflect the IP address of the real IP address of the server.  For sake of clarity, i recommend using Notepad++ which has so many added features to open the files mentioned here.  In my setup, the IP address of the server will be 192.168.244.124.  Besides the IP address, there are a number of other options that can be changed about the server configuration but for the purpose of this post i have kept all other options at their default.  After applying and saving the change, the TACACS service needs to be restarted to reflect the changes.  Once you verify the IP address you have assigned is listening on TCP port 49 by checking netstat, we can do further test by using Telnet to connect to that port from the same computer or a different machine.  If you are not able to connect then you will need to check if there is a firewall blocking the connection.

tacplus config file

Screenshot-2014-09-21_14.54.43

User Configuration

Now that the TACACS server is up and listening for TACACS requests on the IP address we have assigned, we need to configure the users who will be authenticated.  There are number of ways TACACS users credentials can be configured. The credentials can be locally configured using the configuration file provided by the installation or can be pulled from an Active Directory or LDAP Server. User accounts on the local system from where the users are connecting can also be used. The configuration file by default also enables users in the local administrators group access as a fallback option. This is when a user can not remember their password or the TACACS server becomes unavailable. For the purpose of this post, we will be using locally configured accounts in configuration file.  An example of each of user type is given within the configuration file.

Open the file named “authentication.xml” under the C:\ProgramData\TACACS.net\config\ directory and add the lines shown in the screenshot below. The easiest way for adding the user configuration is to copy the examples found in the file and editing the fields. In this example i copied the example group “Network Engineering” and it associated users and renamed the group to “Net Admins” and the two users accounts as “User1” and “User2” with a clear Login & Enable password of “P@ssw0rd”. We can insert a DES encrypted version of the password also in the password field for added security.  In the production environment, we need to harden the TACACS server, put it behind firewall to limit who can connect to it, and must ensure the sensitive files are protected and monitored.  If you decide to copy from the examples given, make sure you remove the comment section of the XML file which are denoted by “<!–” for beginning and “–>” for ending.

Screenshot-2014-09-18_10.22.16

Testing

TACACS.NET provides two tools for testing your configuration called Tacverify & Tactest.  Tacverify is used for checking errors in the server configuration files while Tactest checks to see if you can connect to the TACACAS server using credentials. They are both found under the TACACS installation folder which in our example is located at C:\Program Files (x86)\TACACS.net. To list the available options relating to the tools we can issue -? with the commands.

Screenshot-2014-09-18_10.37.23

Screenshot-2014-09-18_10.42.05
As shown from the results of the commands above, Tacverify shows our server configuration is okay and the authentication test done by Tactest was successful.  We now should be ready to configure our clients to use the TACACS server for authentication, authorization, and accounting.

Client Configuration

TACASCS configuration on clients is different from one client to another depending on the manufacturer.  For the purposes of this demonstration, we are using Cisco 1801 router as a client. The commands required for enabling TACACS are shown in the screen shots below.  A TACACS authentication list called “use-tacacs” is configured and applied on the VTY lines of the router.  Also as mentioned above, we need to specify the TACACS pre-shared key entered at the server.

Screenshot-2014-09-18_11.10.39

Screenshot-2014-09-18_11.10.15

Screenshot-2014-09-18_11.09.36

Authentication Test

Once the configuration of the Cisco router is ready, we are now ready for testing TACACS authentication. Using the users that we have configured above when we try to connect to the terminal line of the router using Putty,  we are asked to provide for TACACS username. After pressing enter, we will be asked for the password of the username just entered. If the username exists in the configuration and the password supplied is valid, the user is granted access to the operational mode of the router. Typing enable command and entering the enable password earlier configured in the configuration file will allow access to the privilege mode of the router.

Screenshot-2014-09-18_11.26.17 Screenshot-2014-09-18_11.26.27 Screenshot-2014-09-18_11.26.38 Screenshot-2014-09-18_11.26.49

Screenshot-2014-09-18_11.27.09

 Accounting Test

From the previous post we have learned that the accounting module of TACACS takes care of documenting about the TACACS session and what the TACACS users have done.  To test this functionality, a few commands were entered in the configration mode after logging into the client router using the credential for User1.  As shown below, User1 went into the loopback interface configuration, removed the IP address and shutdown the interface.  If no log archiving is configured on the router, then these commands entered by User1 cannot be recalled back.  But thanks to the Accounting module of the TACACS server all commands are captured as we shall see below.

Screenshot-2014-09-22_12.41.17

The logs for the TACACS.net server are kept C:\ProgramData\TACACS.net\Logs folder.  By opening the latest log file for accounting we see that the commands entered above have been recorded along with who the user was, the IP address of the User, the IP address of the network device, and the time stamp.  This kind of information becomes very important when troubleshooting an issue or investigating an incident.

Screenshot-2014-09-22_12.43.09

As we have seen from this post, it is relatively easy to install and configure a free TACACS+ server and use it for securing your network devices.  In addition to authenticating users, we have seen also how all commands executed on network devices can be recorded for later investigative purposes.  Furthermore, we can also implement an Authorization module which restricts what users can or can not do once they are authenticated.

Update 1

I have noticed on a couple of occasions after the installation of Tacacs.net is done, the service installed is not started by default and clicking on the start services will start and stop the service immediately.  After some investigation, i checked the logs in the event viewer and noticed that the service did not start because it encountered some XML errors.  I checked the tacplus.xml file and found there were improperly placed statements.  I fixed the statements and the service started properly.  I found this issue occurs if previous configuration files are existing when installing the software.  Just check the error message which most of the time tells you the line number to go and check where the problem is.

 

Screenshot-2015-02-15_11.33.29Screenshot-2015-02-15_11.06.25

Security Onion

SecOnionLogo

I stumbled upon a promising open source tool called Security Onion managed by Doug Burks (@).  What is so exciting about the tool is that it combines several of the best tools from the open source security community running on Ubuntu Linux distribution and creatomg a kind of Security Operations Center giving you several insights into your network and its behavior.

Security Onion is a tool which combines Intrusion Detection/Prevention System (IDS/IPS), Host Intrusion Detection/Prevention System (HIDS/HIPS), Network Security Monitoring, and Log Management functions into a single system.  It achieves this by including Snort, Suricata, Bro, OSSEC, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many other security tools.  It requires a significant amount of time and expertise to configure and optimize all of the previously mentioned tools and have them integrated but Security Onion makes the task easy by removing the complexity involved in the installation and management of the individual tools.  It does that by providing with a setup wizard which takes care of all the necessary software and package installation.  Of course one still needs, the expertise and time to manage the system once it is installed and running.

Detailed information on the tool such as how to get started, network configuration, customization, and tips/tricks can be found on the Wiki page.  Doug also keeps a blog with detailed instruction and step by step guides.  I am very excited to try this excellent combination of security tools to see how i can utilize it to add additional security layer to our network.

Tagged , , , , , ,
Follow

Get every new post delivered to your Inbox.