Nirlog.com

Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security. Noam Eppel writes how the Internet security is failing and what can be done about it. He compares the current state of security industry with a boiling frog:

They say if you drop a frog in a pot of boiling water, it will, of course, frantically try to scramble out. But if you place it gently in a pot of tepid water and turn the heat on low, it will float there quite complacently. As you turn up the heat, the frog will sink into a tranquil stupor and before long, with a smile on its face, it will unresistingly allow itself to be boiled to death. The security industry is much like that frog; completely and uncontrollably in disarray - yet we tolerate it since we are used to it.

The article lists out attacks that made the headlines recently and points out that failure can be seen everywhere — spyware, phishing, trojans, viruses, worms, spam, botnets, web application vulnerabilities, DoS attacks, Active-X, passwords, patch management, zero-days, wireless access points, internal attacks, vulnerabilities in security software, mobile viruses and encryption.

Recently Noam Eppel has published an update to the failure article with Community Comments & Feedback, where he highlights the Good, the Bad and the Ugly comments generated by his article.

I think both articles are very useful, with loads of data and insights, specially for Information Security Professionals.

This guide describes how to install and configure the OpenVPN Server in Linux and clients in Windows XP and Mac OSX. There are many advanced features in OpenVPN and if you’re interested in those advanced stuff, there’s a more detailed HowTo for you. This guide was created from my successful installation, so it works for me. If you find any problems or have suggestions please leave a comment. I’ll try my best to help. I’m sure, you know that you’re using this at your own risk

In our scenario, a small office network is protected by Linux firewall and we’ll implement the secure OpenVPN to access the internal office network (File Server, Database Server and Desktop PCs) securely from anywhere in the Internet.

Read the rest of this entry »

I’ve used IPSec, PPTP and SSL VPNs for quite some time and found them to have their own strengths and weaknesses. IPSec is secure but too complicated, with too many options for implementation and configuration. PPTP is easy to use and configure but it had some security issues in the past, which deters serious security minded organizations to implement it. Commercial SSL VPNs are easy to use but they’re very expensive and still haven’t solved all the remote connection problems.

I was introduced to SoftEther (popular Japanese personal VPN) by one of my boss few years ago, it’s secure and free but the documents are available only in Japanese. While I was searching for english documents of SoftEther, I came across an Wikipedia entry, which said “It is similar to OpenVPN, though it is closed source software”. I’d heard about OpenVPN but had never given it a serious look. This time I decided to look at it. I was pleasantly surprised by it’s ease of installation, use and robust security. Here are few points to note about OpenVPN:

• It’s a free and opensource.
• It’s secure; uses the SSL/TSL protocol.
• It’s easy to install and use. Graphical User Interfaces are available for those who fear the command lines.
• Has flexible authentication scheme based on certificates, smart cards, or traditional username/password credentials.
• Can be implemented as a bridge or a router (OSI layer 2 or layer 3).
• Excellent cross-platform support, it can be installed in Linux, Unix, Windows and Mac OS X.
• Good documentation, FAQs, HowTos and articles.

If you’re looking for a secure, cheap, flexible and easy to use vpn solution, then you should give OpenVPN a try.

The Great Firewall of China monitors, filters and blocks all the websites and email contents. If you’re in China you won’t be able to browse CNN, BBC and other international news smoothly, and you’ll have a terrible experience of sending and receiving emails. There will be a lot of unexplained bounce back emails and sometime emails lost in black holes. To further extend their control over the net, now China is moving towards ‘real name’ system for blogs.

The Internet Society of China has recommended to the government that bloggers be required to use their real names when they register blogs, state media said on Monday, in the latest attempt to regulate free-wheeling Web content.
The society, which is affiliated with the Ministry of Information Industry, said no decision had been made but that a ‘real name system’ was inevitable.

Implementation of this will mean an end to anonymity, threat to privacy and a further curb on free speech. I quite doubt how effective they’ll be in implementing this system, looking at the number of blogs and bloggers in China.

China now boasts over 17.5 million bloggers, producing nearly 34 million blogs. An estimated 75 million Chinese netizens—more than half the country’s estimated 130 million Internet users—are blog readers.

But China has a reputation for being ruthless in implementing their policies and they do have technical, human and financial resources at their disposal. I think they’ll try very hard and ultimately fail. What do you think?

Bruce Schneier has an excellent article on What the Terrorists Want and how we should be fighting them.

I’d like everyone to take a deep breath and listen for a minute.

The point of terrorism is to cause terror, sometimes to further a political goal and sometimes out of sheer hatred. The people terrorists kill are not the targets; they are collateral damage. And blowing up planes, trains, markets or buses is not the goal; those are just tactics. The real targets of terrorism are the rest of us: the billions of us who are not killed but are terrorized because of the killing. The real point of terrorism is not the act itself, but our reaction to the act.

And we’re doing exactly what the terrorists want.

Firewalls have become an integral part of all corporate networks. They’re the first line of defense against attacks from outside network (Internet) and also the point of control to make sure internal users (employees) are using the Internet as they’re supposed to. Recently the UTM (United Threat Management) Firewalls have become very popular. They’ve built in gateway anti-virus, anti-spam, web content filtering and IPS (Intrusion Prevention System) on top of traditional firewall functions. These firewalls generate loads and loads of log data and it’s very difficult to analyze the traffic and security event levels by just looking at the log files. So, a firewall logging and analyzing tool becomes necessary to generate easy to understand reports. After trying few softwares, I came across Firewall Analyzer, which was the exact tool I was looking for.
Read the rest of this entry »

Tunneling is a technology used to connect different computers and networks securely across the Internet. There’s a great introduction to Tunneling and it’s uses at Networking 101: Understanding Tunneling

A tunnel is a mechanism used to ship a foreign protocol across a network that normally wouldn’t support it. Tunneling protocols allow you to use, for example, IP to send another protocol in the "data" portion of the IP datagram. Most tunneling protocols operate at layer 4, which means they are implemented as a protocol that replaces something like TCP or UDP.

Marius Ducea has a great article on How to restore a hacked Linux Server. He provides a very practical baseline on how you should develop your own plan of action to restore a hacked Linux Server. These are the steps he recommends:

- Don’t panic. Keep your calm and develop a plan of actions
- Disconnect the system from the network
- Discover the method used to compromise the system
- Stop all the attacker scripts and remove his files
- Restore not affected services
- Fix the problem that caused the compromise
- Restore the affected services
- Monitor the system

I’ve a personal experience of restoring a hacked Linux Server. I agree with all of his recommended steps. Out of them, I think finding the method (security hole) used to compromise the system is most important, because if you don’t know this then the attacker can immediately use the same security hole to attack and compromise the system after you restore.

With perfect password manager, I thought I had the complete set of tools in my Mac for getting things done. But today I realized, I’d overlooked ethereal. I use it sometimes and it’s a gem without which it would be very difficult to solve some network problems. Ethereal is a free and open source packet sniffer application, used for network troubleshooting, analysis, software and protocol development, and education. It has all of the standard features of a protocol analyzer.

I was happy to see Ethereal for Mac OS X listed at the top of the download page. But, was confused with the choice I had to make between Fink Project and DarwinPorts. I was not sure what they meant or which one was better. So, after Googling a while and reading the FAQs, I found that the number one goal of both projects were to port open source Linux/Unix softwares to Mac OS X. They just differ in the packaging approach they’ve taken. DarwinPorts was written from scratch to try a different approach to a packaging system, where as Fink Project utilizes robust package management tools dpkg and apt-get from Debian Linux Project . So, I decided to try ethereal with Fink Project and this is how I did it.

Read the rest of this entry »

I’ve switched to a Mac and it took quite some time for me to find an ideal password management tool. Of course OS X has an excellent KeyChain Access for password and other confidential information management. Also there are some third party softwares, but most of them are good for personal usage only (by single user). Previously at work we’re using Anypassword in windows for password management. What I needed was a similar tool that stores passwords in an encrypted file (database), so that multiple admins can view/edit it from different platforms (at least from Mac and Windows). In search of this perfect program I’ve tried many password managers available for OS X. So, here they are; some good for single user and some good for system admins, among them I found one perfectly fit for me.
Read the rest of this entry »