Thursday, July 30, 2009

TrueCrypt Hacked at Blackhat Conference

If you’ve been following the news today, some 18 year old genius has supposedly hacked TrueCrypt.  After reading how has hack works, I’m not all that concerned.   The attack runs as a shim between the OS and the TrueCrypt interrupt request.  To get that installed on a box you need either physical access or admin rights on the machine…both of these are needed while the machine is running.  Um..sk’use me… but if you give someone admin rights or physical access to your PC while it’s running THEY OWN YOUR BOX ANYHOW!!!!!  Come on guys this isn’t an attack!?!?  It’s somewhat concerning that this code is out there but it seems to me that simple precautions like antivirus, malware protection, XP’s firewall, etc..  all severely limit how effective this attack would be in the real world.

On to some real news….did you see that the project manager for  CentOS is MIA?  That concerns me more then this hack…

Monday, July 27, 2009

Take your Linux Server’s Temperature

If you are running server class hardware, you can run the following command to tell the temperature of your CPU:

cat /proc/acpi/thermal_zone/THM0/temperature

Open Source Based Penetration Testing

I did some work this weekend involving some penetration testing. I used a LiveCD called BackTrak (which is Ubuntu based).   It comes loaded with a ton of tools and really makes it easy to do some pretty intensive testing.   I won’t got into the details on what all I tested, but suffice it to say this will be added to my “must have” live CD collection which include:

  • Knoppix – pretty much the standard in LiveCD’s
  • Damn Small Linux – used for quick access to stuff while on other people’s systems
  • pfsense – Built in sniffer makes this a really easy remote tool to use for grabbing traces. 
  • gparted live– Used for partition management
  • SystemRescueCD – Great little system rescue tool
  • Darik’s Boot –n- Nuke – Easily erase hard drives
  • SMART – Data forensics (Used to love Helix but now you gotta pay for it. )
  • CloneZilla – Disk cloning at it’s best.

How ‘bout you?  Got Tools?  What’s your fav?

Monday, July 20, 2009

Open Source Software in Production

I was talking to a friend on the phone today about Open Source Software.  He was wondering what stuff I actually use in production.  I figured I’d take a minute and document the stuff that I personally use and we as a Firm use.  Here’s the list I came up with after a few minutes. I’m sure we use more…this is just the stuff I could think of:

nagios
cacti
pfsense
syslogd
phplogcon
wireshark
nmap
mediawiki
apache
php
FireFox
TrueCrypt
putty
FileZilla
FileTransfer Device
greenshot
VLC
UltraVNC
UltraVNC SC
7Zip
Audacity
NotePad++
WinSCP
Snare
Alfresco
OpenOffice
MySQL
PHPMyAdmin
OpenVPN
Password Safe
IPTables
OSSEC
Logwatch
PDFCreator
Blat!

We are pretty much standardized on CentOS as our distro of choice.  I won’t get too religious on the reasons why other then to say the decision was made based upon cost, performance, security  and what is built into the kernel as far as drivers go.  The two commercial apps we run on CentOS are CommVault (media agents) and Kayako SupportSuite.

So there you have it.

Friday, July 17, 2009

Open Source Forensics

I used to really like the Helix package for forensic purposes.  image Unfortunately, they are now charging for that software so I’ve had to look for alternatives.   So far I’ve found two:  PlainSight and SMART.  I’ve played with SMART in the past and liked it a lot, but it didn’t have all the features of Helix.    PlainSight looks decent too, but not quite where I’d like it to be.  I guess we just gotta wait a bit longer to find a decent replacement.  Have you found any Open Source forensic tools you like better?  Hit me up in the comments…

image

image

Friday, July 10, 2009

Attention Printer Manufacturers

<Begin Rant>

You guys kill me…you really do.  You’ve been in the market longer then the PC manufacturers and you still fail to look around a learn a lesson about how the market works.  Printers have become one of the two evils in IT (printing and email).  Here is what your customer base wants…do these things and you’ll become the market leader:

  • Design a “line” of printers that all use the same damn toner cartridge.  I only want to stock and buy 1 type of toner cartridge.  Save your money on the manufacturing end and design a universal print cartridge that works in a family of printers and stick with the damn thing when new models come out.  Ok…why is this so damn important?  Here’s why
      • It saves time ordering new product. We as the customer don’t have to cross reference printer models just to find out which damn toner cartridge we need to take upstairs to a printer.  It also saves on those ones we ordered that were wrong and we now have to send back.
      • It saves money.  We don’t have to stock cartridges for each model so we need less storage space.  Heck for shelf life issues alone (yes toner does have a shelf life) it would be more efficient.
      • It saves the environment. As printers age, those extra cartridges that were never used get tossed. If we can just upgrade the printer to the next model and it uses standard toner we are good to go.
      • You save time.  Questions about which model customers should buy are gone. Less phone calls. (Nobody wants to speak to Abu in India about printers anyhow.)
      • You save money.  Less manufacturing costs.  Think Ford’s assembly line.  One car, one model, one color….
      • You save more money.  Less items to stock, less warehouse space needed.
      • You cut out the aftermarket guy.  Since all the costs come down, there’s little margin for the aftermarket guy.  Starve them out by designing them out.
  • Design a line of printers that all work with the same print driver. OH THE HORROR!!!! Yes. Printer drivers haven’t been reliable since HP had the HPIII.  At that point all printers were made compatible with that driver and everyone was happy.  Forget compatibility….unify the driver.  It’s less for you to test and prove and it’s easier for the customer to load everywhere.
  • Have a thin driver for each model. We could really give a shit about another systray icon eating up system resources just to tell us we are almost out of toner.  Use regular logging (eventlog in Windows and syslog in Unix)…we are looking there already on a daily basis.
  • Build in cost recovery and authentication features.  As one of the remaining hard costs associated with printing, help us keep track of it so we can charge the right people.  It helps us justify buying that bigger printer for those people that need it.
  • Have the printer phone home when something dies and send us parts automatically if we have a support contract.  Take a lesson from Data Domain on this one.  They’ve got it right.
  • Build in reporting.  The web interfaces are ok, but what I want is a print detail report each month showing total pages printed and how much it changed from last month.  Keep a running graph of monthly/weekly/yearly usage.
  • Don’t build a tabletop printer that can’t hold at least one ream of paper.  Seriously, why is this so hard?
  • Use universal parts for as many components as you can in a printer family.  Power supplies, paper trays, heck even fusers should be portable across a family line of printers.  I’ll pay extra for a printer that I can use for spare parts later.
  • Be honest about the actual life cycle of a printer. When I buy a printer I want to know how many pages it’s going to print in it’s lifetime.  Figure it out and tell me.  That helps me develop my ROI.

That’s it for now….but I’m sure I could think of more if I had time.  Printers are nothing but a pain in the ass right now and your service stinks…all of you.  Fix it already.

</End Rant>

Wednesday, July 08, 2009

VLC 1.0.0 is out

VLC is one of my favorite Open Source tools.  It's  a media player that comes with a ton of codecs and image features.  It's been particularly useful to me playing video streams, capturing stills from video files and converting videos from one format to another.  It's a very cool and useful tool that should be in everyone's toolbox.

Enjoy...

Wednesday, July 01, 2009

Basic pfsense to pfsense IPSEC tunnel config

Part of my security redesign this year is to replace our aging Cisco PIX boxes with pfsense.  Yesterday I spent the day setting up a simulated environment for 3 of our offices over an Internet connection.  I was able to get the IPSEC tunnel up and running between two pfsense boxes pretty quick.  Here’s a quick and dirty process for getting it all to work:

Site 1:  Outside IP: 200.200.200.201/29
           Outside Gateway:  200.200.200.202
           Inside IP: 192.168.1.0/24

Site 2:  Outside IP: 100.100.100.100/29
           Outside Gateway:  100.100.100.101
           Inside IP: 192.168.2.0/24

Note: I assume everything is wired correctly and there is a router which will provide connectivity between 200.200.200.202/29 and 100.100.100.101/29.  Also, if you are faking Internet addresses like I am above, be sure they aren’t in the bogon list that pfsense uses.  Otherwise you’ll have to remove the bogon firewall rules on the WAN interface.


Step 1: Install pfsense and set local IP’s on both firewalls.

Step 2: Logon to the web interface for pfsense on each box and assign the WAN addresses.

Step 3: Enable IPSEC (VPN->IPSEC->Enable IPSec). Do this on both firewalls.

Step 4: Add a tunnel on Site 1’s firewall to Site 2 by adding a tunnel and changing only the following items:
* Remote Subnet:  192.168.2.0/24
* Remote Gateway: 100.100.100.100
* Phase 1 Lifetime: 28800
* PreShared Key:  thisisasecretdon’ttell
* PFS Key Group: 2
* Phase 2 Lifetime: 3600

Now hit the save button

Step 5: Add a tunnel on Site 2’s firewall to Site 1 by adding a tunnel and changing only the following items:
* Remote Subnet:  192.168.1.0/24
* Remote Gateway: 200.200.200.201
* Phase 1 Lifetime: 28800
* PreShared Key:  thisisasecretdon’ttell
* PFS Key Group: 2
* Phase 2 Lifetime: 3600

Now hit the save button

Step 6: Be sure to “Apply Changes” when prompted on each firewall.

NOTE: SEE COMMENTS…STEP 7 IS NOT NEEDED…

Step 7: Allow Authenticated Headers (TCP/51) and ISAKMP (UPD/500) with Firewall rules so that IPSEC can pass.  Firewall->Rules: WAN Tab.
Rule 1
* Source IP: Any
* Destination IP: WAN Address
* Protocol: TCP
* Port: 51 (Other)
   Hit Save
Rule 2
* Source IP: Any
* Destination IP: WAN Address
* Protocol: UDP
* Port:500 (isakmp)
   Hit Save

Do this on both firewalls and Apply Changes when prompted

Step 8: Allow all traffic to pass through the IPSEC tunnel.  Firewall->Rules : IPSEC Tab
Rule 1
* Source IP: Any
* Destination IP: Any
* Protocol: Any
* Port Range: Any
   Hit Save

Do this on both firewalls and Apply Changes when prompted

That’s pretty much it.  You should now be able to ping inside interfaces between firewall with the ping diagnostic tool.  From here you can further restrict traffic with firewall rules as needed.

If something goes wrong, use the Status-> System Logs to check out what is going on both on the firewall and on the IPSec tabs.  Note that any firewall denies for the IPSEC interface appear as enc0 as the interface on the Firewall tab of System Logs.

Enjoy!