18 October 2011

Silence on the wire

The problem with many security books is that they simply list a series of attacks against vulnerabilities in systems services. What happens to these books is that they lose validity as patches appear for vulnerabilities  explained, so that when book reach printers actually is outdated. 

But there are others who choose to be more conceptual and describe the risks caused by the designs rather than implementations. These books are much more didactic and useful to delve into the nature of the protocols and systems. Besides, its effect is much longer because the problems of an standard remains until the advent of the following standard (think for example in system security issues WEP). Silence on the wire belongs to this second set of books.

In it, author Michal Zalewski made a study of passive recognition techniques and indirect attacks on a fairly eclectic way, covering topics ranging from the deduction of passwords based on the timing of keystrokes, the parasitic use of processing power of entire networks of computers without permission from their owners, and other interesting topics like the use of the same network infrastructure as a means of hidden and anonymous mass storage, among others. Some of the chapters are strongly speculative and at first glance may seem hardly feasible but the truth is that they are all vectors of attack rarely  noticed and they serve as demonstration that until the last bit in the system design can be used by an attacker to compromise motivated enough. Other chapters in this book were before author's papers very well received in the Net for its innovative approach and the risk of alerting, as is the case of his study of implementations of pseudorandom number generators (PRGN) of most widely used operating systems, which used a mathematical transformation that allowed spatially represent the values ​​that were taking these generators and thus show that many of them drew statistically predictable values.

For all the above and more this is an excellent book should be indispensable in the library of any student of computer security warning that reading this book presupposes knowledge already acquired about networks and protocols such  that can be obtained through Kurose & Ross , Tanenbaum or Stallings . 

17 October 2011

Timestamps falsification

I recently had to do forensic analysis of a server in my organization who had suffered an intrusion.

The input vector was evident as soon as I crossed a few words with the administrator of the machine ... again, a huge investment in security infrastructure had been wasted by an administrator who had gone from our recommendations and had used a dictionary word as his password. The attack had been classic. The logs registered a brute force attack, followed finally by "logins" from other countries' IP addresses. Soon I located in a hidden directory a package of tools for network scanning and brute force attacks. As far as we know, it did not seem attackers had time to use the compromised server as a bridge to our network.

At that point, we decided to format server, reinstall, patch, limiting the maximum services running and make sure we put a trustfull password manager ... and we set our IDS/IPS thresholds starker.

Nothing out of the routine ... and that was what made me think on the possibility that all that might not have been more than a decoy. Everything was so clear since the administrator told his too-easy password that when I found the hidden folder and did a search of timestamps "too actual" in the system (unsuccessfully) I made no further investigation (other things urged). The problem is that the "timestamps" or modification timestamps of the files are not unreliable. Despite this, many programs such as forensics Autopsy / SleuthKit uses the timestamps of files to develop timelines that allow calls to trace changes made ​​will the intruder. In the case of attack that I had to investigate, timestamp trail was clear. However, as I think about that coldly, that clear trail denoted whether that the attacker was very careless or very cunning because he left a false trail to let my follow it. As we could not be sure so be decided to format server.

Forging the time stamp of a file is not difficult. For example, if you create a file, it will time stamp the date and time of our server at that time. Each time you modify the file timestamp is updated to the date and time the modification is made. Given that many of the files on a server remain unchanged for long periods of time their time stamps are usually very old, so a recent modification by an intruder often calls our attention. However, if the attacker is careful to use the command touch to get your old time stamp to all files that you modified. Here is an example, suppose you create a test file:

@ dante dante-desktop: ~ / test $ echo test> test.txt
@ dante dante-desktop: ~ / test $ ls-l test.txt
-Rw-r - r - 1 7 01/03/2008 6:18 dante dante test.txt

After a few minutes we modify the file you just created:

@ dante dante-desktop: ~ / test $ echo test2>> test.txt
@ dante dante-desktop: ~ / test $ ls -l test.txt
-Rw-r - r - 1 dante dante test.txt 15 01/03/2008 6:22 

As you can see, the time stamp has been updated. An easy way to hide this update wold be using touch command:

@ dante dante-desktop: ~ / test $ touch -t 03010618 test.txt
@ dante dante-desktop: ~ / test $ ls -l test.txt
-Rw-r - r - 1 dante dante test.txt 15 01/03/2008 6:18

This functionality is easily integrated into scripts that allow restoring directory timestamps integers. As a demonstration of it I developed  TSpoofer , a tool made ​​in python that allows you to collect timestamps of files and directories which  hang from a specified directory. This tool can be used afterwards to restore the marks of time previous to modifications making harder to forensics to create their timelines.

As you can see, it is very easy to falsify the time stamps of files thus negating the usefulness of the timelines of forensic tools. You will need to bear this in mind when doing forensics: timelines help but only with careless attackers.

Update of March 19, 2008 -> Something great of computer security is that you are always learning new things. In that sense I have found that using a "ls-l" is only a very superficial way to check the modification timestamp of a file, since it only shows the mtime of the inode. I mean, the timestamps consist of 3 components: mtime, atime and ctime. The mtime check the date and time of the last write to the file, atime last reading of the file and ctime last change of the file. We must take into account a very common confusion, in which I include myself until today, which many believe ctime corresponds to creation-time when it actually refers, at least in linux, to change-time. What is the difference between mtime and ctime? that ctime is a superset of mtime, I mean when mtime is updated so it happens with ctime, but there are times when ctime is updated but mtime not. This occurs in cases where the file is updated but not their contents, for example by changing the permissions associated with the file.
As a demonstration we will perform the same tests as before but this time using the find command to display the timestamps.

@ dante dante-desktop: ~ / test $ date
Wed Mar 19 13:53:23 CET 2008
@ dante dante-desktop: ~ / test $ echo test> test.txt
@ dante dante-desktop: ~ / test $ find. /-printf "% m,% Ax,% AT;% Tx,% TT,% Cx,% CT,% U,% U,% G,% s,% p \ n "| grep test.txt
644, 19/03/08, 13:53:27, 19/03/08, 13:53:27, 19/03/08, 13:53:27, 1000, 1000, 1000, 7,. / Test. txt
Because we can see the timestamp find complete, the first triple (date, time) correspond to the atime, mtime and the second to the third to ctime.

@ dante dante-desktop: ~ / test $ echo test2>> test.txt
@ dante dante-desktop: ~ / test $ find. /-printf "% m,% Ax,% AT;% Tx,% TT,% Cx,% CT,% U,% U,% G,% s,% p \ n "| grep test.txt
644, 19/03/08, 13:53:27, 19/03/08, 14:00:14, 19/03/08, 14:00:14, 1000, 1000, 1000, 15,. / Test. txt 

You can view the atime remains the same as I have not read the file but entered data in it, but both the mtime and the atime has been updated after file writing.

@ dante dante-desktop: ~ / test $ chmod 666. / test.txt
@ dante dante-desktop: ~ / test $ find. /-printf "% m,% Ax,% AT;% Tx,% TT,% Cx,% CT,% U,% U,% G,% s,% p \ n "| grep test.txt
666, 19/03/08, 13:53:27, 19/03/08, 14:00:14, 19/03/08, 14:08:05, 1000, 1000, 1000, 15,. / Test. txt

This test demonstrates the difference between mtime and ctime. We have changed the file to alter its permissions, which is recorded in the ctime, but as this change is not supposed to write data to file the mtime remains unchanged. Hence the difference of 8 seconds that appears between the mtime and ctime.

Remains to be seen what will happen when using the touch command.

@ dante dante-desktop: ~ / test $ echo test3>> test.txt
@ dante dante-desktop: ~ / test $ find. /-printf "% m,% Ax,% AT;% Tx,% TT,% Cx,% CT,% U,% U,% G,% s,% p \ n "| grep test.txt
666, 19/03/08, 13:53:27, 19/03/08, 14:14:56, 19/03/08, 14:14:56, 1000, 1000, 1000, 23,. / Test. txt
@ dante dante-desktop: ~ / test $ touch -t 03081400.14. / test.txt
@ dante dante-desktop: ~ / test $ find. /-printf "% m,% Ax,% AT;% Tx,% TT,% Cx,% CT,% U,% U,% G,% s,% p \ n "| grep test.txt
666, 08/03/08, 14:00:14, 08/03/08, 14:00:14, 19/03/08, 14:18:43, 1000, 1000, 1000, 23,. / Test. txt 

It seems that "touch -t" modifies both the atime and mtime. To correct the atime we used "touch -a -t".

@ dante dante-desktop: ~ / test $ touch -a -t 03081353.27. / test.txt
@ dante dante-desktop: ~ / test $ find. /-printf "% m,% Ax,% AT;% Tx,% TT,% Cx,% CT,% U,% U,% G,% s,% p \ n "| grep test.txt
666, 08/03/08, 13:53:27, 08/03/08, 14:00:14, 19/03/08, 14:21:00, 1000, 1000, 1000, 23,. / Test. txt
@ dante dante-desktop: ~ / test $ ls-l. / test.txt
-Rw-rw-rw-1 dante dante 23 08/03/2008 14:00. / Test.txt 

The problem is that touch does not have any possibility to change the ctime.Using this tool, an attacker can trick an administrator who is limited to reviewing your file system with a "ls-l" but not a more conscientious to use findor "ls -l - time = ctime".

Should we declare victory? ... not yet. While an attacker would not be having to cover their tracks touch itself could use a low-level tool called debugfs (for ext2/ext3 systems, but for reiserfs systems we have debugfs.reiser4) to modify the ctime of the file. This tool requires root privileges, and it is very delicate since a failure can corrupt the entire file table. Besides, this tool is more difficult to integrate into a script and, as far as I know, you need to restart the system to apply the changes if these are done on a live filesystem. Its use is as follows:

@ dante dante-desktop: ~ / test $ ls-li
total 28
96 984-rw-rw-rw-1 dante dante 23 08/03/2008 14:00 test.txt
@ dante dante-desktop: ~ / test $ sudo debugfs-w / dev/sda1
debugfs 1.40.2 (12-Jul-2007)
debugfs: mi <96984>
Mode [0100666]
User ID [1000]
Group ID [1000]
Size [23]
Creation time [1205932874] 1204981214
Modification time [1204981214]
Access time [1204980807]
Deletion time [0]
Link count [1]
Block count high [0]
Block count [8]
File flags [0x0]
Generation [0x4091865b]
File acl [0]
High 32bits of size [0]
Fragment address [0]
Direct Block # 0 [204803]
Direct Block # 1 [0]
Direct Block # 2 [0]
Direct Block # 3 [0]
Direct Block # 4 [0]
Direct Block # 5 [0]
Direct Block # 6 [0]
Direct Block # 7 [0]
Direct Block # 8 [0]
Direct Block # 9 [0]
Direct Block # 10 [0]
Direct Block # 11 [0]
Indirect Block [0]
Double Indirect Block [0]
Triple Indirect Block [0]
debugfs: close
debugfs: quit
@ dante dante-desktop: ~ / test $ f ind. /-printf "% m,% Ax,% AT;% Tx,% TT,% Cx,% CT,% U,% U,% G,% s; % p \ n "| grep test.txt
666, 08/03/08, 13:53:27, 08/03/08, 14:00:14, 19/03/08, 14:21:00, 1000, 1000, 1000, 23,. / Test. txt
@ dante dante-desktop: ~ / test $ sudo shutdown-r now
Broadcast of messages from @ dante dante-desktop
(/ Dev/pts/0) at 17:10 ...

The system will shut down for reboot NOW!
@ dante dante-desktop: ~ / test $ find. /-printf "% m,% Ax,% AT;% Tx,% TT,% Cx,% CT,% U,% U,% G,% s,% p \ n "| grep test.txt
666, 08/03/08, 13:53:27, 08/03/08, 14:00:14, 08/03/08, 14:00:14, 1000, 1000, 1000, 23,. / Test. txt
It is notable that a tool like debugfs also confuses the meaning of ctime and ask for the "Creation Time", but as mentioned it is a common mistake (think what sense would be having a creation time mark that changes with each modification the file). Anyway, as you can see, now that has changed the value of ctime completely, erasing tracks left in the timestamps ... 

14 October 2011


Local security management of computers organization can be rather expensive. Some organizations are constantly launching new systems, either for use as a work PC or server. In theory, the IT Security Department should oversee the creation and configuration of these new teams, but in practice these departments are often overworked and lack of personnel available to assign to this task. This is where comes in the use of scripts to ensure proper computer setup before passing it into production. The department of IT Security passes these scripts to Systems Department to apply them just before the start of production of the equipment. This will automate the task and gains in efficiency.

A design option is proram these scripts ourselves, the other is not reinventing the wheel and use what others have created. In this sense Bastille is one of the most recognized. Throughout this article we will explain its use.

If your operating system is Ubuntu Bastille installation is extremely simple install it since it is included in the default repositories of this distribution: 

@ dante dante-desktop: ~ $ sudo aptitude search bastille
[Sudo] password for dante:
c bastille - Security hardening tool
@ dante dante-desktop: ~ $ sudo aptitude show bastille
Package: bastille
Status: not installed
Version: 1:2.1.1-13
Priority: Optional
Section: universe / admin
Developer: Ubuntu MOTU Developers 
Uncompressed Size: 1544k
Depends: perl5, libcurses-perl
Recommends: whois, psad, bind9-host | host
Suggests: acct, perl-tk (> = 1:800.011) | libgtk-perl
It conflicts with: libcurses-widgets-perl
Description: Security hardening tool
Bastille Linux is a security hardening program for GNU / Linux. Increase the security of it the system by disabling services Either (If They are not NECESSARY) or by Altering
Their configuration.

If run in the (recommended) Interactive mode, Bastille educates the administrator During The hardening process: In Each step of the process, Extensive descriptions are Given
of what security issues are Involved. Each step is optional. If run in The Quick Automated mode, Bastille Hardens the system according the profile chosen.

Bastille Linux works for Linux Several distributions. This Has Been package specifically modified to work for Debian GNU / Linux.

Homepage: http://www.bastille-linux.org/

@ dante dante-desktop: ~ $ sudo aptitude install bastille
Be installed following NEW packages:
libbit bastille-vector-perl-perl libcarp-clan-perl libcurses libata-calc-perl-perl libnetwork-ipv4addr-syslog-perl libunix whois psad
0 upgraded, 9 newly installed, 0 to remove and 107 not upgraded.
0B/1355kB need to download files. After unpacking 6697kB will be used.
Do you want to continue? [Y / n /?] And
@ dante dante-desktop: ~ $

Once installed, you can run Bastille. It is recommended to run in interactive mode, so that the program will go by a series of questions to ascertain the use to which it intends to give the computer. Depending on the answers, Bastille configures the computer as secure as possible. These questions will be formulated through a simple ncurses-based interface and therefore easily viewable through an ssh session. With Bastille, IT Security just hast to give Systems Department a simple checklist with answers to each configuration step to let Bastille installed.

Bastille includes a detailed explanation next to each question with the cause of the issue and what will be done in terms of the response. Next we are going to overview main Bastille installation steps:
  1. Would you like to set more restrictive permissions on the administration utilities? [N] ---> Useful on machines with multiple user accounts. There are utilities that, in general, are only executed by the administrator of the machine but by default regular users have access to them, at least part of their functionality (why does the user need to implement management tools such as top or ifconfig ?). To avoid possible security problems that this could lead, Bastille can change the permissions of the above applications in order to ensure that only the administrator can perform. If you are the only user of the machine does not make sense to enable this option. If you have other users accessing it (eg to upload files to your web folders) it would be interesting to add this option.
  2. Would you like to disable SUID status for mount / umount? [Y] ---> In general, programs that have the SUID attribute are very dangerous because although they can be invoked by normal users run with root privileges. This does not entail any risk if these programs were limited to doing what they were designed, the problem is that it is relatively common to discover bugs in these applications that allow "fake" to do things with root privileges. If you say yes to this question Bastille will ensure that the command mount / umount can only be executed by those who know the root password, thus reducing the risk exposure of the team.
  3. Would you like to disable SUID status for ping? [Y] ---> Same as above.
  4. Would you like to disable SUID status for at? [Y] ---> Same as above.
  5. Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y] ---> The so-called r-tools are a set of utilities for remote management of computers. The problem with them is they dont use encryption to exchange data and IP addresses for authentication. This lack of confidentiality and ease to spoof source IP addresses have made people move from the use of r-tools to safer alternatives.
  6. Would you like to enforce password aging? [Y] ---> Enables a time of password expiration of 180 days. Before you spend that time the user is prompted to change your password. If the deadline arrives and the user has not changed your password the account will be blocked until the administrator re-activates it.
  7. Would you like to restrict the use of cron to administrative accounts? [Y] ---> There are certain attacks that can take advantage of the ability of users to use cron tool to launch deferred tasks on a schedule determined. If users do not need to launch scheduled tasks, it is best to let Bastille restrict the use of cron so that is only available for the administrator. 
  8. Do you want to set the default umask? [Y] ---> The umask is the default permissions that you put the files you create. It is best to let it set Bastille to a safe value.
  9. What umask would you like to set for users on the system?[077] ---> Continued from previous question, the best option is to use 077 so as to ensure both the confidentiality of our records as data integrity by preventing anyone but the owner can either read or write about them .
  10. Should we disallow root login on all ttys? [N] ---> This option is extremely useful for computers that can be accessed via SSH without limitation as to the source IP, because they are often victims of dictionary attacks from Internet bots. These bots prove first root account, ubiquitous in all Unix / Linux. However if this option is enabled, Bastille will ensure that the only way to access the root is connect to a normal user account and then doing "su -". The advantage is that this way the bot is forced to discover not only a password, but also the name of the registered user able to connect. The best thing therefore is to enable this option.
  11. Would you like to password-protect the GRUB prompt? [N] ---> If an attacker has physical access to the computer can get a root console rebooting computer and passing certain parameters to GRUB. To avoid this, it is best to enable this option so that even if you can restart the computer and boot normally you would have to provide a password before being allowed to pass parameter to GRUB.
  12. Would you like to disable CTRL-ALT-DELETE rebooting? [N] ---> This sequence allows a user with physical access to the machine to boot it. At first sight it might be interesting to tell Bastille to disable this keyboard sequence. But problem is that an intruder who has access to local keyboard has access to electrical plug too. So he is going to reboot computer anyway but you have to ponder if you frefer him reboot computer cleanly with control-alt-del or violently unplugging computer (so its hard drives cold be severely damaged). The Bastille itself do not recommend disabling this keyboard sequence.
  13. Would you like to password protect single-user mode? [Y] ---> single-user mode is supposed to be used by root in emergencies so that he can access system without password. It is a type of access that is used in cases of emergency, such as when you do not remember the root password... Clearly, this is a double-edged sword that can allow unauthorized access to the system. Enabling this option will avoid this situation Bastille asking for password to access this ... but beware: do not forget your root password or you wont be able retrieve it!.
  14. Would you like to set to default-deny on TCP Wrappers and xinetd? [N] ---> inetd services are allowed by default. If this option is enabled, Bastille changes the settings so that is a denied by default.
  15. Should Bastille Ensure the telnet service does not run on this system? [And] ---> The telnet service is obsolete and pose a serious risk to the safety of the system because it transmits data in clear. It is recommended to use SSH access to the console instead of telnet.
  16. Should ensure inetd's FTP Bastille service does not run on this system? [And] ---> What I said about telnet service is equally valid for FTP.In this case it is best to replace it with SCP or SFTP.
  17. Would you like to display "Authorized Use" messages at log-in time? [Y] ---> This option will enable a message that appears at the beginning of console sessions. This message warns you that you are accessing a restricted and that any not allowed access may be prosecuted by law. Then you can edit the message to fit properly to what Legal Department advises.
  18. Who is responsible for granting authorization to keep my machine? ---> This one question is related to the last one we explained. In this case we indentify user responsible for authorizing the different accesses to computer.
  19. Would you like to disable the gcc compiler? [N] ---> Activating this option will prevent that you can use the C compiler in this computer. That will make life much harder for those intruders who gain access to the system and want download the source code of attack tools to compile in-situ. Furthermore, to disable the C compiler should not be a problem on computers, such as perimeter firewalls, in which there is no plan to make any kind of development.
  20. Would you like to put limits on system resource usage? [N] ---> Set some limits on the number of processes and memory used by user in order to avoid denial of service attacks.
  21. Should we restrict console access to a small group of user accounts? [N] ---> This is to deny access to the console except for a select group of accounts.
  22. Would you like to add additional logging? [Y] ---> Configure your computer to increase the number of log sources and to display some of them in the terminals 7 and 8 (accessible via Alt + F7 and F8, respectively).
  23. Would you like to disable printing? [N] ---> If your computer has not a printer, leaving the printer daemon enabled is leaving a door opened to disaster.
  24. Would you like to install TMPDIR / TMP scripts? [N] ---> Activating this option, Bastille will install some scripts in the accounts of users to configure the variables TMPDIR and TMP directories so that use of temporary files will be completely individual, instead of everyone using the / tmp which can be extremely dangerous in multi-user environments.
  25. Would you like to run the packet filtering script? [N] ---> Enable native Linux firewall. Activating it is safer but note that you need to configure locally (if you dont want to remotely "cut your hands down") either through the command line or through the GUI accordingly. So you must think about it twice before switching it. 
  26. Are you finished answering the questions, ie may we make changes? ---> And finally we come to the end. If you are really sure of the settings specified before, answer Yes to apply changes to your system.

12 October 2011

Hardware keyloggers

Often, heavy investments in systems or antiviral art firewall divert attention from the need to ensure proper physical security of equipment.

People feel safe behind these systems and miss the most elementary precautions. If it is difficult to get them used to lock their computer screens when they leave their desks, it is usually impossible to convince them to close and lock the door to leave the office even when you try to go one minute to the bathroom.

However, even the exposure of a PC to a single minute without supervision may constitute a serious setback for the security of the system ... For example, installing a hardware keylogger only requires 20 seconds of time.

These keyloggers are sold as a way to back up what you type, but it is also true that pose a very simple way for an intruder to "damn" our keyboard.

These devices are placed between the keyboard and plug the PC female from there capturing every keystroke you make. Its small size and the fact that the keyboard connection usually left out of the user's view makes these devices to easily pass unnoticed. Do you watch every day behind your PC tower to make sure you have not installed a keylogger?.

It takes one careless user to install a keylogger and another to retrieve it. Once this is done the owner of the keylogger can use a password to decrypt the contents of captured keystrokes. This content can be really long as the memory of some keyloggers can reach up to 2 MB, more than enough to store the keystrokes of a victim the time period necessary to achieve all of your usernames and passwords.

There are different models with different capabilities and functionalities. The house Keyghost are models only for PS / 2 but have a wide variety of storage sizes to choose from. The house KEYKatcher models include both PS / 2 to USB while it is true that lack of options with storage capacities between. In both cases the price range between 100 and 300 dollars.

Using antivirus as entrance vector

Houses with their antivirus products promise a panacea to the risks to the security of our systems. However, antivirus, like any human endeavor, can suffer from errors that serve as vectors of attack for someone with enough knowledge to do so. An example is the following email, sent to the list of security incidents, focus on 13 February:
On the 4th of February I posted an message asking a few questions About a possible mail server compromise [1] I had a Few Good responses and lots of offers for help, Some Of These messages lead to the discovery Indirectly What Really Happened of. [...] Here is what we discovered we Correlated When all logs, traces, events and upstream data. That left the data the mailserver - Were mails - wait ... The Way They are not supposed to leave, what left our WHERE mailserver gigabytes of mails, no time to Go Through Each of Them .. But we supposed Nearly all of our stored emails we Were commitments. Since we use qmail and exchange as well as corporate mx mail this server How Could Have Happened? Düring analysis of the event log, we saw Several event entries Indicating the AV scanner crashed multiple times DURING Several hours Before the first huge batch of traffic left the mail server. Nothing spectacular you Might Say, This Happens from time to time, though Rarely. This lead us to the notion to use the Simply Anti-Virus scanner to rescan the complete in box of all accounts, and Then it hit us, Suddenly There Were Being Initiated Requests outbound. What tried to These Initiate Requests? The Anti-Virus scans scanner.We reran the Several times at one particular file and the scanner started acting weirdly. What we discovered an exploit WAS Against the AV scanner That Was When It triggered scanned the attachment to this particular email ... The Threat That Was not we Anticipated.
We had allowed the Anti-Virus scanner to get the updates from the Allowing Internet access to the internet it of course ... This Was the way the data got out. I am not sure That It Would Have help if the Would Have Been Pushed updates Internally, After all the exchange That sends email server somehow get out to the internet, I guess the way to get out Would Have Been a bit harder just for the attacker.
Obviously, such incidents are omitted by advertising houses antivirus developers but it is essential to have them in mind when making a proper risk assessment. In general, any antiviral product is free from faults, but some suffer more than others: