Security – Page 7 – Will Chatham's Blog

October 3, 2009

Personal AntiVirus for Linux – ClamAV with Fedora 11

I'm providing the original text file for ease of useGrab it here - ClamAV.on.Fedora

----------------------------------

Background:

This guide will use the ClamAV CLI scanner and the ClamAV-Update script (freshclam).
I wrote this to help all the HomeSOHO users (servers or desktops).
ClamAV has various tools/packages/plugins for email servers etc. but that’s another story.

If you wish to learn more visit their home site: http://www.clamav.net/

Obviously, you can change anything you want, but this should get you going.

Continue reading “Personal AntiVirus for Linux – ClamAV with Fedora 11”

June 8, 2009

User Management: Passwords

This applies to RedHat Enterprise 4 & 5, and by association to Fedora and CentOS. It probably works on some other distros as well, but your mileage may vary.

I am constantly having to reset user passwords, as I use the “three failures and your account is locked” schema, as well as set passwords to expire every 60 days. Continue reading “User Management: Passwords”

June 2, 2009

The Ultimate Lock Picker

The Ultimate Lock Picker Hacks Pentagon, Beats Corporate Security for Fun and Profit.

Being a former professional locksmith of 7 years, and an aficionado of the art of picking and bypassing locks, I found this article to hit pretty close to home. It is a fascinating look into the brain of a hacker — not the computer geek hacker, but a person who lives and breathes the true hacker ethic.

May 22, 2009

Practical Security: Resources from the US Government

If you live in the USA, did you know that your tax dollars are being used for some really good purposes?

You better believe it. For example, the NSA provides some great guides and tools for securing your operating system, whether your are on a Mac, or running Windows, Linux, or Solaris.

Some of the guides can get a little complex (especially the Linux and Solaris ones), but even if you do some of what they suggest, you are increasing the security of your OS and are likely to learn a few things at the same time.

There are more resources from other parts of the government as well. Continue reading “Practical Security: Resources from the US Government”

April 8, 2009

Local Restaurant Scam

The Buncombe County web site is reporting that scammers have been targeting area restaurants, telling them they need to pay $19.95 each for “hand washing” signs which are required to be posted in restrooms.

An interesting, if not original scam, probably concocted while someone was using the restroom, saw the sign, and got the bright idea. Fascinating.

April 1, 2009

Simple SSH Tunneling with FoxyProxy

Ever been to a coffee shop and got worried about hopping on their public wifi network to check your email? If not, you should have been, and you should presently be concerned about wifi security anywhere you go — a topic we have covered here many times. Continue reading “Simple SSH Tunneling with FoxyProxy”

February 20, 2009

Black Hat DC 2009

I’m on my way back from the Black Hat DC 2009 briefings, and thought I’d give a brief synopsis of my experience there while waiting to catch a plane.

This was the first opportunity I’ve had to attend such a conference, and it was made possible by Alan over at StillSecureAfterAllTheseYears.com (yes, you made my year!). Being in the DC area, this smaller-brother version of the Black Hat Vegas conference is geared more towards the federal sector, which was perfect for me since that is where I work.

The conference was kicked off by Paul Kurtz (check it out here), former advisor to Presidents Clinton and Bush, and current candidate for President Obama’s Cyber-Czar position. He described the complex, if not disturbing, state of our country’s cyber-readiness in response to a “cyber Katrina” disaster.

It is a grim situation for which a lack of communication between the various parts of our cyber infrastructure are at fault. He likened it to the pilot training facility in Florida, which trained the pilots of the 9/11 attack, not passing along any info to the government about what was going on. The same thing, said Kurtz, is occuring with our country’s ISP’s. He didn’t really go into how to solve it in detail, but I was left fearing that an increase in communication between ISP’s and the government would only lead to more of a Big Brother scenario than we already have.

I chose to attend the Attack and Defense tract of briefings as opposed to the Reverse Engineering tract at Black Hat. All in all, I was not disappointed, though a few of the topics were very dry and very granular. Some of the other attendees I talked to were in agreement that the level of detail tended to get very specific, and thus less relevant to the majority of the people attending.

Still, I learned a lot in many of the briefings, including:

Blinded by Flash: Widespread Security Risks Flash Developers Don’t See (presentation here)
Dissecting Web Attacks (presentation here)
Windows Vista Security Internals (presentation here)

The best presentation I saw this week was by an independent hacker going by the name of Moxie Marlinspike, who’s presentation on New Techniques for Defeating SSL/TLS generated the most buzz amongst the conference attendees and the blogosphere.

Moxie demonstrated a method he devised using a tool he wrote called SSLStrip, which allows one to launch a man-in-the-middle attack on someone attempting to log onto a secure site by taking advantage of “positive feedback” techniques currently employed by modern web browsers, and making someone think they are on a secure web site. In actuality, they are on your version of the site, and once you have their login credentials captured, you send them on their way without knowing the difference.

Moxie had a 100% success rate of fooling people on the Tor network using this technique, collecting passwords for Paypal, Facebook, and other popular “secure logon” sites.

There were other good briefings, and I met a bunch of cool people. As I posted on Twitter during the conference, rubbing elbows with the DC securiy elite made me realize how quaint Asheville is. I hope to be able to attend more conferences of this genre, and the opportunity for learning is much greater than sitting in a training room listening to a teach drone on about a single subject.

December 16, 2008

Practical Security: Web Browser Vulnerabilities

Secunia, a computing security clearinghouse, has issued a warning regarding a new, zero day vulnerability in the Internet Explorer web browser. This includes Internet Explorer 5, Internet Explorer 6, and Internet Explorer 7 on fully patched Windows XP systems.

Attackers can craft web pages in such a way to use this vulnerability to issue commands on your computer. There are active exploits currently being used on the Internet to do this.

Your safest immediate course of action is to not use Internet Explorer until a patch is issued by Microsoft. Instead, use Firefox, Safari, or Chrome. Unless you are using version 9.3 of Opera, you should quit using it as well.

On another note, there was an article in the news recently which named Firefox as the most insecure application of 2008. The article is highly biased, however, and the criteria for defining insecure applications ruled out the inclusion of Internet Explorer. Still, it’s worth a read to help raise awareness about the vulnerabilities of computing on the Internet these days.

Whatever browser you use, you should know that exploits are found in all of them. As exploits are discovered, they are usually patched as soon as possible, and it’s well worth checking for and installing the latest versions often. Until patches are released, however, it’s a good plan to switch browsers.