Diary of a mad man
Security
Posts relating to security, both computer and physical
Easter Bunny Stroll 2009
Apr 12th
Each year the LFNS does a special Sunday Stroll for Easter named the Bunny Stroll. Here is a video I took of this year’s event…
Securing Majordomo
Oct 14th
Did you know that buy default majordomo will give a list of all the addresses on your mailing list to anyone?
I have written a script that will tidy up majordomo config files as follows…
- Only shows lists you are subscribed to with the ‘lists’ command
- Does not allow anyone to use the ‘who’ command to get addresses
- Doesn’t allow anyone to use the ‘which’ command to get addresses
This can either be run once or added to /etc/cron.daily so that any new lists created are forced to the correct settings.
Simply download the file, change the directory path at the top of the file if required and execute. Download Here.
Car park signs tell drivers to fuck off
Oct 30th
There are some breaches in security you can’t help but laugh at! Even better that only two people reported it…
Early morning motorists got a shock yesterday when digital car park signs were tampered with by computer hackers and were left displaying an obscene message.
Black boxes in cars
Oct 3rd
I would love to know the percentage of cars in the UK that have these things!? The scary thing to me isn’t that cars have them but that people are driving around in cars and don’t know they have them. I may be wrong but I would imagine that it would help prevent accidents if you knew that your car could prove your driving… saying that, I can see that that may not be a selling point!
Investigators found a palm-sized tattle-tale under Michael J. Wilson’s hood in an effort to show a jury that the Arnold man should go to jail for the crash that killed his pregnant wife and another driver.
The device is called an event data recorder, or EDR. Some call it a “black box” because its function is similar to that of an aircraft’s flight data recorder. An estimated 64 percent of all model year 2005 vehicles driven in North America have one, according to the National Highway Traffic Safety Administration.
Bluetooth security and advertising
Aug 27th
I was watching BBC’s Click program today which had an piece on how technology was being used in advertising to make billboards stand out [1]. The bit that got my interest was using bluetooth to connect to passing mobiles, this interview sums it up well. If the bluetooth UID of a mobile phone can be picked up by a poster as you walk past, and all these posters are networked together then how long before the information is sold to tracking agencies?
We already have mobile phone tracking sites that allow you to find out where in the country a phone is logged on (to quite a good resolution too). While most of these sites require some form of authentication with the phone for public use the information is obviously there to phone company employees and the people behind these sites, who knows who has access to this info.
The other security concern is the vulnerabilities of the phones, apparently with Coldplays latest album, posters in London were offering to upload a free mp3 track from the album to bluetooth phones passing by. Nearly all first generation phones that support bluetooth are hackable with new vulnerabilities being discovered on phones all the time. Bluetooth can already be used to control a vulnerable phone, for example to make it call a premium rate number without the owner knowing. If I were to use Internet Explorer as a browser I could pick up spyware just by visiting a webpage, now people will be infecting their phones by playing affected MP3′s that they have downloaded for free from rogue posters. Neither of these techniques are new but in this ever mobile age the transport methods are changing and the speed these changes are implemented are getting faster.
Checking for Rootkits
Aug 21st
In the same vein my last post, here is page on installing chkrootkit and Rootkit Hunter on CentOS / BlueQuartz.
A root kit is the name given to a piece of software written to try and elevate someone’s permissions to root level, commonly used by hackers/crackers/script kiddies to infect a system. There are many rootkit checkers however we are going to install two of the most common which are both are free and open source. Some people prefer one over the other, I say, why not use both!
chkrootkit
The website is http://www.chkrootkit.org/ and the following is based on v0.47
# Pick a location
cd /usr/local
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar zxvf chkrootkit.tar.gz
rm chkrootkit.tar.gz
# Fix the permissions
chown -R root:root chkrootkit-0.47
cd chkrootkit-0.47
make sense
# A quick tidy up
mkdir docs src
mv *.c Makefile src
mv READM* chkrootkit.lsm ACKNOWLEDGMENTS COPYRIGHT docs
./chkrootkit -q > good.output 2>&1
# CHECK THE good.output FILE IS OK AND HAS A KNOWN GOOD OUTPUT
touch current.output
touch /etc/cron.daily/chkrootkit
chmod 755 /etc/cron.daily/chkrootkit
vi /etc/cron.daily/chkrootkit
# Place the following text in the file...
#!/bin/sh
SERVER=`hostname`
cd /usr/local/chkrootkit-0.47
rm current.output
./chkrootkit -q > current.output 2>&1
DIFF=`/usr/bin/diff current.output good.output`
ERRO=`/bin/cat current.output`
if [ "$DIFF" != "" ]
then
/usr/lib/sendmail -t << EOF
To: root
Subject: ${SERVER}: Chkrootkit Output
====> A diff between current and good output is:
$DIFF
====> The current output is:
$ERRO
EOF
fi
Rootkit Hunter
The website is http://www.rootkit.nl/projects/rootkit_hunter.html http://rkhunter.sourceforge.net/ and the following is based on v1.2.8
# Use a working directory where you can execute code
cd /home/.tmp
wget http://downloads.rootkit.nl/rkhunter-1.2.8.tar.gz
tar zxvf rkhunter-1.2.8.tar.gz
cd rkhunter
./installer.sh
cd ..
rm -r rkhunter rkhunter-1.2.8.tar.gz
# Rootkit Hunter does however complain about the user root-admin.
# As far as I can tell there is no need for this user on BQ so I remove it.
userdel root-admin
touch /etc/cron.daily/rkhunter
chmod 755 /etc/cron.daily/rkhunter
vi /etc/cron.daily/rkhunter
# Place the following text in the file...
#!/bin/sh
SERVER=`hostname`
OUTPUT=`/usr/local/bin/rkhunter --versioncheck`
EXITCODE=$?
if [ ${EXITCODE} != 0 ]
then
echo "${OUTPUT}" | /bin/mail -s "${SERVER}: Rootkit Hunter Output" root
fi
OUTPUT=`/usr/local/bin/rkhunter --update`
EXITCODE=$?
if [ ${EXITCODE} != 0 ]
then
echo "${OUTPUT}" | /bin/mail -s "${SERVER}: Rootkit Hunter Output" root
fi
OUTPUT=`/usr/local/bin/rkhunter --cronjob --report-warnings-only`
EXITCODE=$?
if [ ${EXITCODE} != 0 ]
then
echo "${OUTPUT}" | /bin/mail -s "${SERVER}: Rootkit Hunter Output" root
fi
I hope this is of help to people.
Things to do to a blank BlueQuartz install
Aug 21st
After just rebuilding a BlueQuartz box I thought I would copy my install notes. This is an entirely personal list of things that I do to a vanilla install of CentOS/BlueQuartz. I thought it may be useful to other people.
Contents
- Change root passwords
- Secure SSH
- Apache Obscurity
- Install ImageMagick
- PHP upload settings
- Add Mime Types
- yum checker
- Setup floppy drive
- Majordomo logfile
Change root password
BQ is initially set with no root MySQL password and the systems root password is set the same as the admin user. These should be changed to something different!
- Change MySQL password wth `/usr/bin/mysqladmin –user=root password NEW_PASSWORD`
- Change root password with `passwd`
Secure SSH
SSH is obviously better than telnet but did you know that the SSH protocol v1 has been cracked for quite some time now. I lock all my boxes down to only use protocol v2 and haven’t had any come back on compatability issues.
- Modify `/etc/ssh/sshd_config` to set `Protocol 2`
- Run `/etc/rc.d/init.d/sshd reload`
Apache Obscurity
Yes, this is security through obscurity but everything helps. The following will remove the “signature” at the bottom of pages generated by Apache and will also only report the webserver as “Apache” instaed of the full version number and OS
- Modify (and add if necessary) the following lines in `/etc/httpd/conf/httpd.conf` & `/etc/admserv/conf/httpd.conf`
ServerSignature Off ServerTokens Prod
- Run `/etc/rc.d/init.d/httpd reload`
- Run `/etc/rc.d/init.d/admserv reload`
Install ImageMagick
A must for most hosting nowadays. Simply run `yum install ImageMagick ImageMagick-perl` as root.
PHP upload settings
In this new broadband age people are uploading pictures and such to their sites so I change the PHP upload defaults. Change lines in /etc/php.ini (or your own php.ini) and run `/etc/rc.d/init.d/httpd reload`
post_max_size = 20M upload_max_filesize = 10M
Add Mime Types
There seem to be some common mime types missing from the default install. Add the following to `/etc/mime.types` and run `/etc/rc.d/init.d/httpd reload`
application/x-ms-wmz wmz application/x-ms-wmd wmd audio/x-ms-wax wax audio/x-ms-wma wma image/x-icon ico text/csv csv video/x-ms-asf asf asx video/x-ms-wm wm video/x-ms-wmv wmv video/x-ms-wmx wmx video/x-ms-wvx wvx
yum checker
Now I love the Nuonce/Solarspeed automatic yum installer however I like to install patches on systems when I am there, that way if there are any problems I can fix them straight away. I have this little script that mails me when there are packages to install.
- touch /etc/cron.daily/yum-check
- chmod 755 /etc/cron.daily/yum-check
- vi /etc/cron.daily/yum-check
#!/bin/sh
SERVER=`hostname`
OUTPUT=`/usr/bin/yum check-update`
EXITCODE=$?
if [ ${EXITCODE} != 0 ]
then
echo "${OUTPUT}" | /bin/mail -s "${SERVER}: Yum Updater" root
fi
Setup floppy drive
If your system has a floppy disc drive you won’t be able to use it until you run `floppy –createrc > /etc/floppy`
Majordomo logfile
I know it’s silly but I like all my log files to be in one place….
- cd /var/log/mail
- ln -s /usr/local/majordomo/log majordomo
I hope this is of use to people
The Conscience of a Hacker
Mar 26th
This was taken from Phrack Volume One, Issue 7, Phile 3 of 10. It is a poem by a hacker that was arrested back in 1986, funny how it still seems to be appropriate so many years on. Incidentally, bits of this file made it into the movie “Hackers” (I sense Emmanuel Goldsteins influence there!!) I know it’s kinda sad but in some ways I like this, if nothing else but that it’s a nice bit of poetry. Anyway, here it is in its original format:
The Conscience of a Hacker
by
+++The Mentor+++
Written on January 8, 1986
Another one got caught today, it’s all over the papers. “Teenager Arrested in Computer Crime Scandal”, “Hacker Arrested after Bank Tampering”…Damn kids. They’re all alike.
But did you, in your three-piece psychology and 1950′s technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him?
I am a hacker, enter my world…
Mine is a world that begins with school… I’m smarter than most of the other kids, this crap they teach us bores me…
Damn underachiever. They’re all alike.
I’m in junior high or high school. I’ve listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. “No, Ms. Smith, I didn’t show my work. I did it in my head…”
Damn kid. Probably copied it. They’re all alike.
I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it’s because I screwed it up. Not because it doesn’t like me…
Or feels threatened by me…
Or thinks I’m a smart ass…
Or doesn’t like teaching and shouldn’t be here…
Damn kid. All he does is play games. They’re all alike.
And then it happened… a door opened to a world… rushing through the phone line like heroin through an addict’s veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought… a board is found.
“This is it… this is where I belong…”
I know everyone here… even if I’ve never met them, never talked to them, may never hear from them again… I know you all…
Damn kid. Tying up the phone line again. They’re all alike…
You bet your ass we’re all alike… we’ve been spoon-fed baby food at school when we hungered for steak… the bits of meat that you did let slip through were pre-chewed and tasteless. We’ve been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us will- ing pupils, but those few are like drops of water in the desert.
This is our world now… the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn’t run by profiteering gluttons, and you call us criminals. We explore… and you call us criminals. We seek after knowledge… and you call us criminals. We exist without skin color, without nationality, without religious bias… and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it’s for our own good, yet we’re the criminals.
Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.
I am a hacker, and this is my manifesto. You may stop this individual, but you can’t stop us all… after all, we’re all alike.
+++The Mentor+++
Recent Comments