Monday, December 9, 2013

SYNTAX Application Security Report

I am very proud to annouce the publication of SYNTAX IT Group Application Security Report (ASR)!
The Application Security Report is an annual SYNTAX publication summarizing the vulnerabilities discovered on application security engagements and provides an insight on current web and mobile application vulnerabilities.
As the primary author of this publication, I would like to thank my team and my colleagues for their help and support.
You can download the report by following this link:

Sunday, December 8, 2013

Fine-tunning Spamassassin and Citadel

This is actually a follow-up article of the previous publication: RPi Home Mail Server Project.

Unfortunately there are not enough articles regarding the configuration needed in order to integrate the open source spam filter Spamassassin and Citadel mail server.

First of all you should install Spamassassin by issuing the following commands:
> apt-get update
> apt-get install spamassassin spampd

Spam daemon (spampd) works as an incoming MTA which scans the emails and then forwards them to the mail server. By default, spampd listens to port 10025 and connects to port 10026, after the relevant processing.

Following this architecture, your firewall should forward SMTP and SMTPS incoming connections to spampd at port 10025 (one simple scenario is by creating a port forwarding rule) and then forward them to Citadel mail server at port 25. 

In order to achieve this, you have to edit /etc/default/spampd and change value DESTPORT from 10026 to 25. 

And you are done! Enjoy!

Monday, August 26, 2013

RPi Home Mail Server Project

It has been a while since I last updated my blog. I am quite happy to write another article regarding my latest project: my own mail server based on my Raspberry Pi.

The reason is quite simple: since Google, Microsoft, or whatever provider, considers that it has the right to read my emails, the only way to "revoke" this right is by discontinuing the use of those providers' services. However, bear in mind that putting an email server into your internal network poses a great risk and you should be aware of the means how to mitigate those risks (implement DMZ, VLANs, buying firewalls, etc.). Those means cost money of course.

After a research regarding the most appropriate software for home -and RPi- use, I chose Citadel. I haven't tested it yet under extreme circumstances.

In order to configure Citadel you can use this very useful tutorial:
http://www.ducky-pond.com/posts/2012/Jul/installing-citadel-on-rpi/

Citadel offers integration with ClamAV, an open source antivirus and Spamassasin, an open source antispam software.

ClamAV

Unfortunately Citadel website offers only a high-level configuration guide for both ClamAV and SpamAssassin. As a consequence we have to dive a little bit deeper in order to make them work together.

We can install ClamAV by issuing the following commands:

> apt-get install clamav-daemon
> apt-get install clamav

Make sure you have included the following lines on /etc/clamav/clamd.conf:

TCPSocket 3310
TCPAddr 127.0.0.1


Make sure clamAV deamon is running:
/etc/init.d/clamav-daemon start

Then, add the localhost address on Citadel's administration page as mentioned on the guide.

SpamAssassin

Installing SpamAssassin by issuing the following commands:
> apt-get install spampd
> apt-get install spamassassin

Make sure you reconfigure the listening address and port for spamassassin (I have searched for a conf file but I didn't find it. So I include the following workaround.)

Edit /etc/init.d/spampd script and locate the following lines:

[ -n "${LISTENPORT}" ] && ARGS="${ARGS} --port=${LISTENPORT}"
[ -n "${LISTENHOST}" ] && ARGS="${ARGS} --host=${LISTENHOST}"


Alter them according to the following ones:

[ -n "${LISTENPORT}" ] && ARGS="${ARGS} --port=783"
[ -n "${LISTENHOST}" ] && ARGS="${ARGS} --host=127.0.0.1"

Spamassassin must listen on port 783 in order to cooperate with Citadel.

Now the only thing to do is to configure accordingly your domain name and MX records in order to send and receive emails.

Last but not least, consider implementing PGP keys in order to communicate safely. Bear in mind that the email service is plaintext, anyone suitably positioned on the Internet (ISPs, network administrators, etc.) can intercept and read your emails.

Enjoy your email service!

Wednesday, June 26, 2013

Why you should not buy an iPhone 5

Following Apple's announcement of new iOS, I think this is the most suitable time to publish this post; a post explaining why you should not buy an iPhone 5!
Although I am a fan (was?) of Apple devices, I own an iPhone 5 for two months and I have already regretted the purchase I made. Because there is no hope with Apple's support, even if you have spent a fortune for buying this "device", I prefer sharing my experience rather than contacting Apple.
Below I sum up the main reasons why you should not buy an iPhone 5:

  • Scratches

iPhone 5 is more fragile than a bohemian vase. I had iPhone 4 for 2 years, it had some "deep" dives to the ground but no scratches. On the other hand, iPhone 5 looks like somebody hit it with a hammer...

  • "No service"
Another innovation by Apple. While we are in 2013, we have bought smartphones (iPhone I mean) that can do everything, but, they cannot place or receive a call. While I am not doing anything, even with my 3G connectivity OFF, iPhone drops the connection with the carrier. So simple. And I am asking: if I bring this to Apple's support attention, will they respond? And why will they? Many other people with the same issue, they haven't received any help.
  • Wifi
It's the longest issue of iPhone, I think, since its birth? Either disconnects, or does not connect at all, wifi could be considered as a missing functionality since you cannot rely on it. Maybe Apple's marketing has done a great job in order to get promoted by carriers and promote the use of 3G instead of wifi.
  • Regional Settings
I decided to switch my phone to english language and keep the greek regional settings (for example km instead of mi). But, you cannot do that! Even if you choose english language with regional settings based on the metric system, you WILL get the British metric system. Simply, there is no sense.

So if you decide to buy an iPhone 5 after this post, and numerous others, good luck! :D

Thursday, May 2, 2013

Luring the Bots for Fun!

Project Introduction

These days I am hosting a custom honeypot which is based on Metasploitable VM. Unfortunately I didn't have the time to build a new one, so I based it on Metasploitable VM. Initially, I wanted to capture all the wordlists hosted on the machines that would target me. Secondly, I wanted to make a statistical analysis of the regions which attack the most. Obviously, a honeypot situated in Greece wouldn't be a good statistical sample, however after a month of honeypot's "production" state I have gathered very interesting data which I would like to share (apart from the wordlists!).

Honeypot Services

The first service which is built in order to lure the bots is the SSH. This has given me a very interesting amount of data and wordlists of the brute force attacks. SSH service by default does not log any failed login attempts. That's why I had to download SSH source code and recompile it in a way that the SSH daemon would log any failed logon attempt. The altered source code (auth_passwd.c) can be found here.
The second service is HTTP. I wanted to lure any bots or blackhats (script kiddies to be more accurate because no one serious blackhat would like to hack a useless site!) who would try to hack a web application. I uploaded to the Apache server a PHP project I had written during my first degree, which is full of vulnerabilities (in the 3rd semester no one had made me an introduction to web application security, I admit it!). In order to log the attacks I installed and configured ModSecurity as I have described in a previous article (later I found that modsecurity can be linked with online honeypot projects! Just google it!). Unfortunately, HTTP service has not faced any attack attempt yet, so this project did not go well!...

Attacking Hosts by Region

Below there is a graph of the number of attacks and the region from which these attacks came from!





I am sure that you had imagined that China would win the race easily!


Conclusion

In the near future I am looking to add more services to my honeypot, so stay tuned for future posts!
And remember: The bots are out there! (like X-Files motto? :p)

Sunday, March 17, 2013

Kali Linux on Raspberry Pi

I finally found some time and installed Kali linux, the Backtrack successor, on my Raspberry Pi!
Here is the screenshot:


Below, I will provide the high level steps in order to install and configure the Kali Linux on your RP! 

"Ingredients" :p
  • Raspberry Pi, 256MB RAM
  • 16GB SD card Class 10

High level steps:
  1. Download kali linux image from here.
  2. Write on SD following the instructions provided by kali website or by Raspberry Pi website.
  3. Change your root password. Note that SSH is enabled by default, so theoretically you will not need to plug in a HDMI monitor.
  4. Expand the partition to fill all the SD card space. Because I am a little bit lazy, I used the raspi-config script with success!
Kali seems to run flawlessly up to this time. The following weeks I am going to test more features of Kali and see how I can take advantage of the flexibility provided by Raspberry Pi!

So stay tuned! :)

Tuesday, March 12, 2013

Building a pentest Lab

Introduction

For education purposes, a penetration test lab is always necessary. I needed this for a relevant project, so I think it could be useful for colleagues and generally for security researchers to publish my experience in building a penetration test lab. I have used vulnerable Linux images which are publicly available over the Internet. However, the main subject of this post is how to build a vulnerable Windows machine (it would be not too difficult if I had decided to leave it unpatched! :p).
Last but not least, I will go through the common cliche and suggest you run all this vulnerable software in NAT mode; don't leave these security holes running in your local network with Internet access!


Prerequisites

First of all, we will need a virtualization software. I have used VMware player which is free and covers my needs for this post. The images used are the following:
  • Backtrack 5 R3, available here.
  • Metasploitable v2, available here.
  • OWASP Broken Web Applications image, available here.
  • Windows XP SP3 (should be installed from scratch)

What else? Topology!

Below you can see the network topology of my pentest lab. I have taken the liberty to watermark my pictures in order to protect myself from plagiarists.






Building Vulnerable Windows machine

First of all we will need a Windows XP machine. It could be fully patched or not; we will not focus on Windows vulnerabilities thus on vulnerabilities on software installed on a Windows machine.
Below is the software and the relevant exploit I used in order to build this vulnerable Windows machine:
  • Java 7 update 2, exploitable by this metasploit exploit.
  • Hacme bank vulnerable web application, available here.
  • Easyftp server vulnerable versions <=1.7.0.11 and earlier, exploitable by multiple metasploit exploits (use search easyftp under the msfconsole)
Regarding the other VMs on my topology, there are plenty of good articles exploiting the vulnerabilities residing on them.

Conclusion - TBC

I realise that this list is short, but I will come back with updates as my goal is to create a vulnerable Windows machine which is very close to reality and educative at the same time.
 

Links

Friday, February 8, 2013

Me, My Raspberry Pi and I

In this post, I would like to share my raspberry experiment. I don't want to write another post of "How to do <this> with raspberry pi", but instead, share my experience. First of all:

What is Raspberry Pi?

From Raspberry Pi's FAQ:
The Raspberry Pi is a credit-card sized computer that plugs into your TV and a keyboard. It’s a capable little PC which can be used for many of the things that your desktop PC does, like spreadsheets, word-processing and games. It also plays high-definition video. We want to see it being used by kids all over the world to learn programming.

Raspberry Pi and I

I totally agree with the FAQ's definition! And I would recommend to all parents who are PC "aware" to buy a RP for their children!
My history with RP was quite long! I had been thinking of buying a RP a long time ago. But, I have a drawback (apart from my noumerous advantages of my character! :P); if I want something badly, I want it at the same time! Therefore, I wanted to buy a RP and didn't want to wait about 3 weeks, so I ordered from ebay. Unfortunately, I had bad luck. I ordered Friday and Saturday (as far as I can remember), it was announced that RP new releases would come with 512MB RAM instead of 256MB. All customers who had order from the authorized resellers they would get the 512MB version without any extra cost. But I had ordered from ebay!... So, no luck!... Nevertheless, I didn't get disappointed.

My "Project Plan"

My experiment with RP was to create a RP to host the following:
  • VPN server
  • Torrent downloader
  • TOR proxy
  • Syslog
  • Dropbox uploader
  • File Server
  • (I hope the list will grow!)

Getting Started

I will skip the first steps because they are well documented at RP's site here!
Initially I had an SD with 8GB RAM but unfortunatelly it was declared dead.... So, I bought a 16GB SD, class 10! :)

First steps

I will start from the classics. Change the default password and throught raspi-config, extend file system to occupy the whole SD card and enable SSH. You will need it some time!
One of the classic security basics is to change your password! Through raspi-config, change the timezone and the keyboard. Another way to do this is to edit XKBLAYOUT and set it to "us" at /etc/default/keyboard.


Update your RP

In order to keep my RP distro up to date I used RPi update. You can get it by doing the following:
> sudo apt-get install git-core
> https://github.com/Hexxeh/rpi-update
Copy it to a cron directory, according to your needs (I have copied to the cron.weekly for example).

VPN Server

I have set up a VPN server in order to get connected to website & services over unsecured WIFIs. I have used this useful guide to set it up!


Torrent Box

I use bittornado client. Generally, you can use apt-get command and install your preferable torrent client software. Here you can find a guide for installing trasmission on your RP!


TOR Proxy

TOR project is an open network which you can use in order to tunnel your requests through many proxies all over the Internet. The purpose of the project is to provide its user anonymity. Here you can find information regarding TOR project.
The installation on my RP was quite simple. Issue the command:
apt-get install tor
and your RP is hosting your TOR proxy. Now you must alter your proxy settings on your browser in order to route all your requests through the TOR software. A very nice firefox add-on is QuickProxy!


Syslog

I also use syslog service of my RP to gather all logs from my network devices. You have to un-comment the following lines from /etc/rsyslog.conf:
$ModLoad imudp
$UDPServerRun 514
and instruct the network devices to use your RP as a syslog server!


Dropbox uploader

One of my first thoughts with RP was to upload files to dropbox through RP in order to take advantage of RP's low consumption. Moreover, it won't be necessary to have my macbook powered on in order to upload large files!
I found a useful script which uploads files to Dropbox with a Bash script. It's very useful and easy to install and use! You can find it here.


File Server

My RP is always ON! So why not share some files? For example some photos? So, I created a user, installed samba and voilá; my photos are shared on my home network. I used the following sequence:
#Install samba
> apt-get install samba samba-common-bin
#Created a user
> adduser <username>
#Set user samba password
smbpasswd -a <username>
#Added the following lines in /etc/samba/smb.conf:
[Photos]
comment = Photos Folder
path = <path here>
writable = no
guest ok = no
#Restart Samba Service
> /etc/init.d/samba restart


Now, the path entered in Samba.conf file is being shared over the network!

Iptables 

Last but not least, you need to setup a firewall. Iptables is a fine solution. If your RP is exposed to the Internet, it would be wiser if you configure your iptables. Here is some of fine guided I have used to write my iptables:

http://www.cyberciti.biz/tips/linux-iptables-examples.html
http://www.garron.me/linux/iptables-manual.html
http://www.thegeekstuff.com/2011/06/iptables-rules-examples/ 

Sum-up

My adventure with the RP does not end here. I experiment a lot with my RP and currently I am working on the project Kali Linux on RP, so stay tuned!

Further Reading

  1. Raspberry Pi FAQ
  2. Buy Raspberry Pi from Farnell or RS.
  3. RPi Tutorials list.

Tuesday, February 5, 2013

Intellectual Property and Code of Ethics 001

As you may have noticed, I have watermarked every picture embedded in my blog posts. I had a recent plagiarism incident where my whole post was copied and integrated to somebody's blog and there was no citation to it apart from a link at the end of this blog post.
I would like to mention in this post that the information I write to my blog is free for everyone to share. But, the initial source of this information should be mentioned following the academic ethics. I am sure that the majority of infosec professionals had an academic education and therefore written some kind of dissertation according to some official rule set. For example in my MSc we have the following rules.
After a long search over the Internet I found a document under the name "Data Citation Best Practice Discussion Document" which can be found here.
It is a nice reference for all of us who do use references in our blog posts and we don't copy them without respecting the work of our colleague.
I am free to discuss this subject and of course, eager to hear any different point of view.

Friday, February 1, 2013

CISSP Study Notes

It has been a while when I passed my CISSP exam. I don't think that an introduction is needed to describe the CISSP exam; it is well known how important is for an Information Security professional.
Because of some "tidiness projects" I have taken over in my house, I found my lost CISSP study material! However, I found that my notes were a little bit destroyed in their upper parts, but they are still readable.
I decided to "digitize" them and share them with Information Security community. My main study resource was Shon Harris' All-in-One-Exam Guide (all times classic!) and therefore any page reference found in my notes, is referred to this book.
Please note that -as every personal notes- my notes are not perfect. What is more, they focus on domains that I needed -or wanted?- to focus more. There sure will have mistakes on them too! So, I don't want to take this as a disclaimer, but use at your own risk! :P
I suggest you to use them -if you wish- as an auxiliary material, and of course I need your feedback! If I have a mistake or any kind of misinterpretation on them, I would be grateful if you could share it with me.
 
Good luck with your exams!
 

Tuesday, January 15, 2013

Data Loss Prevention: A competitive advantage for today's businesses

First of all I would like to wish to all my readers a happy new year! I wish to all of you the best and may the 2013 be a landmark - year for the mankind!

After a couple of weeks of processing, finally I have managed to publish the following article! I wanted to write an article regarding security solutions but with a different perspective; I would like to escape from the strict technical view and present them from management's point of view. Therefore, the current post has to do with the role of Data Loss Prevention (DLP) in Information Security Management (ISM) and how the DLP solutions help in Risk Management and in IT Compliance.

Introduction

Key terms: 
  • What is Data Loss Prevention? 
  • What is Information Security Management? 
  • What is Risk Management?

From the ancient years, information was one of the most, or perhaps the most valuable thing that one possesses. Its significance can be evaluated by the way and care people handle it over the years. Wars can have a different turnover only with the possession of some valuable information. Nowadays, the nature of the information has changed and has become more digitized than ever.  Credit cards, health records, nuclear missiles launch codes, military schematics, promising technical patents are some examples of how the nature of the information has changed. Moreover, the methods of stealing such information have changed as well; from the gangsters with guns entering a store in order to steal physical and tangible objects, to people sitting in front of a computer with an Internet connection. Therefore, the attack vector has changed. It has become even more complicated and even larger than it used to be. Some years ago, a couple of locks, a big fence and a large, cement wall were sufficient in order to keep your information safe. On the contrary, these days you need hardware and a hypervisor with a couple of virtual machines running sophisticated security software in order to provide surveillance of  the whole infrastructure through different security perspectives such as data leakage preventions, encryption, anti-virus protection etc..
Information security is a necessity for all organizations nowadays, not just because they have to comply with industry standards, but because of the need to protect their information, their assets and their infrastructure. Investing on the right policies and procedures is the equivalent of a health insurance; you pay a very small percent in order to prevent a bigger loss in the near future.

During my research for an definition for Data Loss Prevention (DLP), I found numerous entries defining DLP as a "system" or "software". But, I would like to present a different definition and a point of view for DLP; I could say that DLP is a strategy, a mentality. DLP is a complete planning of preventing sensitive information from leaving the corporate network. It should not be just a DLP software solution; all deployed IT solutions should cooperate in order to implement a DLP strategy and mentality on our organisation. For example, endpoint protection software, email gateways, endpoint encryption software, all of them can work to enforce, along with DLP solution, the organisation's policy regarding the prevention of data leakage. 

The following key term is Information Security Management, which is a superset of Information Risk Management. According to the wikipedia article [1]:

"Information security management (ISM) describes controls that an organization needs to implement to ensure that it is sensibly managing these risks."
Information Risk Management (IRM) is a integral part of Information Security Management. One of my favourite definitions is the following:
 "Information Risk Management is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level". [2]

Let's break down and explain in details the above key terms.

Overview of DLP solution

Without ignoring my previous statement that DLP is something more than a software enablement solution and a mentality that should be implemented on many points of our infrastructure and cultivated among the employees, I would like to present the architecture of a DLP solution and its key features with a top-down approach. 
DLP solutions are designed to provide the following features:

  • Manage
DLP is managed through a user friendly but very detailed web interface. Throughout that interface numerous features are offered such as administration, view only, approve functions for releasing information, etc. Policies are configured and fine-tuned as well by this interface.
  • Discover
This key feature discovers the sensitive information, with the expertise of the consultants implementing the solution and with the help of the management and of the IT department, the sensitive information is  found and its classified by the DLP.
  • Monitor
Monitor feature understands the flow of the sensitive information. It monitors the information in any format, protocol or port.
  • Protect / Prevent
This is the last phase of DLP; when the policies are being enforced. The prevention policies are being enforced on every boundaries of your corporate network. This can be email, web, instant messaging, etc.

Below you can see a very simplistic diagram of a DLP implementation:





In this simplistic implementation, the key roles are awarded according to the following:

  • Network Monitor: Monitors the flow of the sensitive data.
  • Network Prevent: Enforces the policies applied.
  • Endpoint Discover: Discovers sensitive data on endpoints (laptops, desktop).
  • Endpoint Prevent: Detects and prevents sensitive data from leaving the endpoint.


Dealing with the Risk 

What is at stake?

As I mentioned at the beginning of my article, it 's all about information; sensitive information. Therefore, its loss could cause massive loss to a business. It could be from a credit card loss (failing to comply with industry standards, for example), to an industrial pattern. Industrial espionage attempts are also common nowadays. Moreover, frustrated employees are also a risk. In many countries, Labour Law mandates that an employee has to be warned some days/months later if he is about to get fired. Those employees can be a potential risk to a business because they might think to leak some sensitive data they handle in order to cause harm to the organisation that is firing them. DLP implementations address those risks.
What is more, on large organisations help identify business processes leaking confidential data. For example, a secretary sending a corporate document at her gmail account in order to work from her home computer. These practices and behaviours are monitored, identified and addresses by DLP implementations.
Last but not least, a DLP solution could help implement ISM procedures and policies all over the organisation and provide the necessary data to the management regarding the internal (and external where applicable) compliance policies.

Achieving Compliance through DLP

For many industry standards, information leakage prevention is a requirement in order to get certified and comply with them.
Let's present an example; PCI/DSS is one of the most common standards in the bank industry.
The keystone is the PCI Data Security Standard (PCI DSS), which provides an actionable framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidents. [3]
Below, I have gathered a sample of PCI/DSS requirements that a DLP help in order to achieve them:

  • 3.5: Protect cryptographic keys used for encryption of cardholder data against both disclosure and misuse.
  • 4.2: Never send unencrypted PANs by email.
  • 6.3.4: Production data (live PANs) are not used for testing and development.
  • 7.1: Limit access to system components and cardholder data to only those individuals whose job requires such access.
  • 10: Track and monitor all access to network resources and cardholder data.

It is apparent therefore that a DLP not only manages the risk arrousing from handling sensitive information but also helps the organisation comply with many industry standards.

Conclusion

With the current article, I wanted to present the DLP solution and highlight its benefits for management.
I am looking forward to your comments! Thank you!

Further Reading


References

2. All in One CISSP, Shon Harris
3. PCI SSC Data Security Standards Overview