openssl and Signatures

A checksum can be used to determine if a file has been tampered with at a later date.  To run a checksum use the following command:
openssl dgst -HASHTYPE path_to_file
HASHTYPE would then be md2, md4, md5, mdc2, rmd160, sha or sha1.  Let’s go ahead and do a checksum of our smb.conf file:
openssl dgst -md5 /var/db/smb.conf
You should then see output similar to the following:
MD5(/var/db/smb.conf)= e4b58a63c6682b298aeca3ad40734c1e
MD5(/var/db/smb.conf)= e4b58a63c6682b298aeca3ad40734c1e

WAF: Web Application Firewall

Web Application Firewalls, or WAFs, are firewalls for web application.  They monitor web traffic and decide whether to allow or deny specific requests.  IIS web servers (OWA), Apache, WebObjects, Lasso and other web servers will likely end up working with them, although I’ve only tested IIS and Apache at this point.

Internet Security 101

I originally posted this at “We’re not a high profile target.” We’ve heard it countless times before, but that argument just doesn’t hold up any more. There are malicious applications out there that scan entire chunks of the internet for computers that are vulnerable to specific attacks. Most small businesses hold the position that because they are not a “high profile target”, such attacks do not represent a threat to them. In terms of modern security, the attitude of “We’re not NASA, and therefore our information is not confidential enough to protect”, just doesn’t hold up. The security attacks described in this article are sometimes less about your competition covertly gaining access to your trade secrets or client/job data, and more about random entities exploiting your precious technology resources. In addition to stealing confidential data, Internet hacks can compromise the performance of your technology assets with Bots and other Spyware as well as use up most if not all of your Internet bandwidth. all of these potential symptoms cost business in lost productivity and the direct costs of having to resolve these performance issues. No device that’s open to the web’s protocols is secure Nearly every router and firewall, from consumer grade to professional grade has the option to create what is called a Demilitarized Zone, or a DMZ. DMZs offer the ability to quickly split an Internet connection to many computers while still moving all incoming traffic into a specific computer. Often, the standard setup is to DMZ a server in a small office that has one server. This is especially common when this server is being used for multiple purposes (such as a web server, FTP server, mail server, etc.). Each one of these services uses a specific port to differentiate incoming requests. For example, web traffic typically uses port 80. When selecting ports coming into a network, it is important to remember that the less traffic that comes into a network, the better. However, when using DMZ, all ports are open, giving attackers a virtually limitless amount of ports to scan, infiltrate, and exploit. Selectively granting access is now a must. Attackers are also using Google to find unsecured stations that accidentally get crawled (a book on hacking with Google was just released ). If one of your systems is compromised by a hacker and used to launch an attack on another computer, then those victims have every right to sue you for damages in court. Another excuse that doesn’t hold up any more is, “It’s a Mac, and they’re secure.” It’s true that Mac OS X has been labeled the “most secure” OS on the market. However, the MOST secure doesn’t mean FULLY secure. Macs are going to become higher profile targets in that more and more attacks can be launched from them, even if there are still fewer people attacking them than Windows. Since nothing that’s open to the web is secure and most every business relies on open connections to the Internet to remain competitive, Three18 recommends that our clients keep as many copies of everything important in as many locations as they can, as well as having routine security audits and port scans. Rotating redundant offsite backup solutions are critical. The best way to protect your data is to back it up. When evaluating the costs, ask yourself how much money one day’s data is worth to your company. A week? A month? An hour? Then, make decisions on how often to back up based on the backup cost vs. the cost to recreate the data. Protecting your assets requires a plan for both your perimeter and your data as well as your technology assets. Now having said all of this, the real cost of security is inconvenience. The rule of thumb is that the more security is applied to an environment, proportionally the less convenient access to that environment becomes. More often than not, the cost of 100% security is too high for two reasons: it limits the convenient access of a company’s data both internally and remotely, which often is required to support a company’s business logic as applied to technology; and it simply costs too much money to implement. The best analogy is that of the homeowner who chooses to get an alarm system and put high quality locks on all the doors of his/her home, but opts to leave all of the windows on the home’s first floor without bars. In this case, the home is safe from the typical entry points, but at the price of maintaining a nice view through the windows, the home is vulnerable at the same time. Sometimes less than 100% is good enough. Security, as with most business decisions, is a risk-based decision. Factors of costs, convenience and liability must all be considered to fully understand the implications of business security.


Ever been hacked? Had information stolen? Who do you turn to? What do you do? No matter what the level, a security breech has occurred and action must be taken to ensure a repeat offense doesn’t happen. The first reaction to a security breech is to isolate it and fix it as soon as possible. However, writing to the systems in any way can cause clues to be overwritten. Therefore it is important to discover the identity of the attacker. The more quickly that forensic analysis is performed the more likely that the attacker, vandal or thief will be apprehended. One of the best places to start in analysis is making a copy of the system that hasn’t been written to. For Windows this is done using a program like Ghost. On the Mac platform using Carbon Copy Cloner or the Disk Utility to create an image is a good move. It is best to get a copy of your system as soon after a security incident as possible. On local systems, there are some valuable pieces of information that can be obtained about the identity of the person stealing data. This can be anything from the IP address of the attacker to the name of the drive they’re transferring data to. On many Operating Systems valuable logs or cached files are overwritten on a routine basis. If a clone is made, it is often best to create a clone, or a replica of the system in its current state, as soon as possible. If it’s a server, then the logs of the server provide good clues as to where to look for the perpetrator. Once again it is helpful to create a clone of the system. However, this is not always possible on production servers. Copying the log files is the next best thing. Firewalls can provide good clues as well. The logging cycles on firewalls typically store data for a shorter period of time than on workstations or servers. Creating a screen shot in PDF format of the firewalls logs or exporting the logs into a text file is a good starting point. Firewalls typically provide good information on what addresses are communicating with a network. This makes them good at specifically determining the identity of the attacker and according to logging levels, the attacks used. No matter what the issue, time is of the essence. Contacting a professional to help is a good idea. Getting the FBI or the LA County District Attorneys office involved can take time and this can cause clues to be damaged, lost or destroyed. IT professionals can also assist in creating a chain of custody on the equipment that can later be used in court when and if the person who’s invaded your privacy is apprehended and put to trial.


War dialing or wardialing is a method of automatically scanning telephone numbers using a modem, usually dialing every telephone number in a local area to find out where computers or fax machines are available, then attempting to access them by guessing passwords. ToneLoc was a popular wardialing computer program for MS-DOS written in the early to mid-1990s by two programmers known by the pseudonyms Minor Threat and Mucho Maas. The name ToneLoc was short for “Tone Locator” and was a word play on the name of the rap artist known as Tone Lōc. The utility was created for the purpose of scanning for dial tones or modem carriers in order to find PBXes, long distance carriers, or other modems. THC-SCAN In the cracking scene of the 1980s, demon dialing was a technique by which a computer would repeatedly dial a number (usually to a crowded modem pool) in an attempt to gain access immediately after another user had hung up. Wardriving is searching for Wi-Fi wireless networks by moving vehicle. It involves using a car or truck and a Wi-Fi-equipped computer, such as a laptop or a PDA, to detect the networks. It was also known (as of 2002) as “WiLDing” (Wireless Lan Driving, although this term never gained any popularity and is no longer used), originating in the San Francisco Bay Area with the Bay Area Wireless Users Group (BAWUG). It is similar to using a scanner for radio. Many wardrivers use GPS devices to measure the location of the network find and log it on a website (the most popular is WiGLE). For better range, antennas are built or bought, and vary from omnidirectional to highly directional. Software for wardriving is freely available on the Internet, notably, NetStumbler for Windows, Kismet for Linux, and KisMac for Macintosh. Wardriving was named after wardialing (popularized in the Matthew Broderick movie WarGames) because it also involves searching for computer systems with software that would use a phone modem to dial numbers sequentially and see which ones were connected to a fax machine or computer, or similar device. (Audio commentary on the Wargames DVD says that wardialing was named after the movie and the software did not openly exist before the movie.)

Password Encryption

I originally posted this at Logging onto most network resources requires the use of a password. Before passwords are sent over networks they are encrypted. Many different variables and algorithms are used to encrypt passwords. The most common method of encrypting passwords before they are sent over a network uses the seconds and minutes fields of file modification time stamps to build variables. The system doesn’t use the time stamp as a variable directly, but uses them to generate hashes. A hash is a number generated from a string of text. The hash is smaller than the text itself and is generated by a formula in such a way that it is extremely unlikely that some other text would produce the same hash value. Hash values are typically 160 bits in length. To increase security, hashes are broken up into segments, known as a message digest. These segments are sent over the network in a stream, or the actual data being transferred between two systems. A hash is a one-way function so it will not produce the same message digest from two different inputs. Kerberos uses the date and time stamps of two systems as inputs, which is one reason it is important for systems communicating using Kerberos to keep their clocks in sync. All of this helps ensure the infeasibility of reversing encryption. Although it is infeasible it is not impossible to break encryption schemes. The NTHash standard of security used by Windows employs a password encryption scheme that simply combines hashes. The NTHash method of password encryption has been exploited. OS X, as with UNIX and Linux, uses a 12-bit string of random numbers to create a more secure hash. This 12-bit string of characters is known as a salt. The use of a 12-bit salt requires brute force attempts to crack encryption will take 4,096 times longer by taking more resources. Using nonstandard ASCII characters such as !, #, @, *, etc. helps to increase password security as does keeping as up-to-date as possible with security patches. Using Kerberos helps to keep the encryption process as secure as possible due to salted hashes. Another security improvement with Kerberos is that Kerberos creates a ticket upon successful authentication. This ticket is used to access resources across all the servers sharing a common information database such as Open Directory and Active Directory. In a Kerberos environment passwords don’t have to be sent over the network each time a resource is being accessed. Reducing the frequency of password usage and handling passwords more effectively makes Kerberos a strong weapon in the Network Administrators arsenal. The use of LDAP databases such as Open Directory makes network management easier and more secure.