Thursday, August 28, 2008

Top 10 Firefox add-ons

Add-ons or extensions are small pieces of software that can add new features or tiny tweaks to your browser. They can add niche search engines, change the look of your browser tool bar, block annoying pop-ups, preview links, organise your browsing history and do much more.

Mozilla Corp, which recently set a world record with Firefox 3, recently held its annual competition that recognises the year's best Firefox add-ons.

This year's contest focused on add-ons that took advantage of its latest open-source browser Firefox 3. Here's listing what Mozilla crowned best Firefox add-ons.

Click Here

-Abhiz

Tuesday, August 19, 2008

Be a Web Security Samurai

We have BackTrack Live CD for Penetration Testers with lots of tools from scanning to gaining root and 0wn a machine, BackTrack already has most of the tools that are needed by PenTesters but there this is a new kid on the block with a Focus on Web Security Testing Live CD named Samurai.This is what the Official Website of Samurai has to say..
"The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.
Starting with reconnaissance, we have included tools such as the Fierce domain scanner and Maltego. For mapping, we have included tools such WebScarab and ratproxy. We then chose tools for discovery. These would include w3af and burp. For exploitation, the final stage, we included BeEF, AJAXShell and much more. This CD also includes a pre-configured wiki, set up to be the central information store during your pen-test."---------Looks like they have integrated all web security tools but the problem is how many CD's or USB drives should I carry with me?The problem with Linux is tremendous amount of forks happen within a very short span of time, We have WHAX Penetration Live CD, We have the wonderful Backtrack and now Samurai.Although they are all for different uses why can't just one Live distribution have it all, that is the reason I have created a Live Distribution with the tools that I need, which I carry with me. I know my need and the choice of tools on my Live CD might not be exhaustive like the ones above but I surely have what I need and even if there is something required badly I can always get it off the net while the distribution is running.What do you think ? Is it better to have your own custom distribution or carry many Special Purpose Live CD's with you.

-Abhiz

PCI Compliance Guide from Microsoft

This is a good guide from Microsoft about PCI Compliance and is surely a must read for people who want to know more about PCI or implement PCI Compliance at any level, which is a pushing factor for all the companies who manage their customers credit card data and do financial transactions.Being compliant to a standard like PCI does not mean you are Secure!"The Payment Card Industry Data Security Standard Compliance Planning Guide is designed to help organizations meet Payment Card Industry Data Security Standard (PCI DSS) requirements. Specifically, this guide is targeted to merchants that accept payment cards, financial institutions that process payment card transactions, and service providers—third-party companies that provide payment card processing or data storage services. IT solutions for each of these groups must meet all PCI DSS requirements. The guide is intended to augment The Regulatory Compliance Planning Guide, which introduces a framework-based approach to creating IT controls as part of your efforts to comply with multiple regulations and standards. This guide also describes Microsoft products and technology solutions that you can use to implement a series of IT controls to help meet the PCI DSS requirements, as well as any other regulatory obligations your organization may have." Download the PCI Compliance guide.

-Abhiz

Encryption Toolkit from Google

Google has released an open source cryptographic toolkit "Keyczar" for developers to use it in their applications, it supports authentication and encryption with both symmetric and asymmetric keys.Keyczar currently supports Python and Java implementation but this toolkit is not designed to be used as an replacement for OpenSSL.This toolkit can be used in your web applications to encode the URL and validate on the server by using cipher keys etc.But the challenge for Keyczar is there are many such implementations already availiable for Python, PHP and Microsoft Dotnet. Lets see how much adoption does Keyczar gets and yes even if people don't use it in their self-hosted projects you should be able to use it with AppEngine from Google.

-Abhiz

Another reason to secure your Wifi

Indian police investigating bomb blasts which killed 42 people traced an email claiming responsibility to a Mumbai apartment, they immediately raided the apartment in which a American national was staying.But after through investigation the police came to a conclusion that the American national was not the one who send that email but his Internet Connection was used to pass on the information, He had an Open Wifi connection without any Encryption and the range of the Wifi was accessible at quite good distance.Now the American was not involved but the terrorists used his open wifi connection and sent an email and he got in trouble. This is just another reason you should secure your PC as well as your Internet infrastructure because the moron's are getting smarter. 1) They used open wifi to send an email 2) they used microchips in the bombs that they planted in surat (good that the microchips were faulty and failed).What should people do to secure their Wifi ?1) First log everything at the router level, email the logs periodically to a email address to keep as backup.2) Use Encryption, WEP or WPA - WEP is quite easy to crack so I would recommend using WPA.3) Change default passwords immediately as soon as the technical support guy leaves your house.4) Switch off the router/modem when not in use.5) Monitor your internet bills because a unusual spike is a clear indication of misuse of your internet.6) Configuring MAC Address Filtering in your Modem/router so that only your machine gets connected to internet.7) If you use only 1 machine for Wifi reduce the DHCP address pool lease so that only one machine is connected to the internet at a time, or better of use static IP Address.One more thing i would like to add is the modem/router installation team of the ISP should take the lead and stop people from using Open Wifi and WEP, they should assist them in setting up WPA because its not just hackers or neighbors stealing your wifi connection even the very bad can use it for their bad deeds and you are innocent but can still end up in trouble like the American national.

-Abhiz

Wednesday, August 13, 2008

What's the need for Linux apps on Windows?

As for why you'd want to do this, there are several Linux apps that are much better -- and with more advanced features -- than their Windows counterparts.

Amarok on the desktop (Click for larger).
Amarok on the desktop (Click for larger).

For example, Amarok is a superior alternative to Windows Media Player or iTunes, especially if you ever need to take music off your iPod. Amarok lets you move files in both directions -- onto the iPod and from the iPod onto your desktop, a function that iTunes by itself does not provide. Amarok also has better options for tagging your music than iTunes, and it features integration with Wikipedia and the Last.fm social network.

Web developers and designers could test their pages against Linux browsers like Konqueror or Epiphany. Also, those working in scientific fields probably use a number of Linux-based apps that haven't yet been ported to Windows (and may never be).

Running apps in a faux-native environment will always be easier than dual-booting into a second OS. And aside from the practical concerns, it's just plain cool. Or creepy, depeding on your bias.


-Abhiz

Show Off Your Linux Skillz

Execute any of these open source tricks and no one will have the slightest inkling that you actually failed comp-sci in junior college.

Bypass the corporate firewall

You're sitting at work when you notice a bootleg of Tropic Thunder on BitTorrent. No problem: Run the BitTorrent through your home PC and stream into your work rig. Enter this code into the terminal: ssh -R 7654:127.0.0.1:7654 username@yourothermachine -N -D 7777. Where it says "username," plug in the username of your home machine. And swap "yourothermachine" for the IP address or hostname of that box. "-N -D" is the SOCKS proxy. Remember to set it as 127.0.0.1 at port 7777. And "7654" is the default port you want your Torrent program to run on. (Check it: You can also use this trick to run Firefox, AIM, and other apps that "hamper productivity.")

Create a file-sharing network

Your bud across the hall wants to see Tropic Thunder, too. If you and he are on networked machines, you can easily send him the file. Type: scp localfile username@yourfriendsmachine :remotefile. In place of "remotefile," enter the name of the file you want to send. Don't have the username and IP addy or host name of "yourfriends machine"? Set up an impromptu instant message client to get it.

DIY IM

If your Linux box can't load an IM client (or you want to converse off the grid), there's another way to become ping pals. You both need to be remotely logged into the same machine. Enter: write username. Sub your friend's handle for "username" and start chatting away about how funny it was in Tropic Thunder when Ben Stiller had both of his hands blown off.



-Abhiz

Track who access your gmail account and from where

Gmail has introduced a new privacy feature that will let users see how many computers their account is open on, and also allows them to sign-out remotely. Basic information is displayed as part of the page’s standard footer, and users looking for more detailed information can view a log that displays the most recent IP addresses to access the account, along with the type of access (Mobile, POP, etc.).

The best thing about these features is if anybody had access to your cookies he can be logged out remotely and you can even track who logged into your email account and from what IP address and through which service for eq. IMAP, POP or Browser.

This is really a very good move from Google, because Webmail accounts have always been haven for email snoopers.

The link to access all these information is available at the bottom of the Gmail website.

-Abhiz

Remote Desktop Management Solution for Microsoft



One of the many challenges facing Microsoft administrators is how to manage remote systems in a secure manner? In the world of the UNIX the answer is quite simple: using the SSH protocol is sufficient. Thanks to the SSH, we can manage remote systems not only in the text mode, but we can also run remote X-Window applications by using the protocol tunneling technique. And all of that by using strong cryptography, which protects transmitted data from unauthorized access.

Unfortunately, providing secure remote access to the MS Windows systems is not as easy. Why? First of all, only the NT Terminal Server, 2000 Server and XP are equipped with remote management services (Terminal Services). Secondly, the solutions that offer remote MS Windows management possibilities either don't encrypt transmitted data (like VNC) or their implementation often comes hand in hand with the additional, significant costs.

This article will describe the universal method of remote management that can be used to manage almost all versions of MS Windows systems: from Windows 95 up to XP. This method is characterized not only by minimal costs, but also by a relatively high level of security.

The Solution

What features should a remote management solution have? First of all, the solution must be functional. Although in the case of Unix systems, access to the emulated text terminal is often sufficient, the use of such methods to manage MS Windows is far from ideal. Because the MS Windows is a system based on a graphics environment, remote management should be also realized in a graphics mode. Besides being functional, remote management must also be secure. The solution must not only provide user authentication, but must also assure confidentiality and integrity of the transmitted data.

In the remote management solution that will be presented in this discussion, all the above requirements will be met by using the following open-source software:

  • VNC - VNC (Virtual Network Computing) provides graphics management of remote systems. In our case, the VNC software will be the "core" of the whole solution. It will provide a graphics console to the remote MS Windows system.
  • Stunnel - The main purpose of the Stunnel utility is to create SSL tunnels that can be used to transmit other, often non-encrypted protocols in a secure manner. In the described solution, this tool will be used to secure the VNC protocol. Thanks to the Stunnel, it will be possible to assure not only confidentiality and integrity of the transmitted data, but also to authenticate VNC clients and servers by certificates.
  • OpenSSL - OpenSSL is a library of cryptographic functions that can be used to enrich applications by data encrypting functions. By using OpenSSL we can also generate, sign and revoke certificates that can be used in solutions based on a public key infrastructure (PKI). In the method presented below this tool will be used to generate and sign certificates needed to authenticate both VNC clients and servers.

The following picture shows the way the software mentioned above will be used to provide secure management of remote desktops:



Now, let's proceed to the practical implementation of the described solution.

Installing the Software

The first stage of implementing this secure remote management solution is the installation of the software.

VNC

In order to use the VNC, we must download it and install it on the host that we want to manage remotely, which we will hereafter refer to as the VNC server. Next, we must register the VNC service (Start Menu ® RealVNC ® VNC Server ® Register VNC Server Service) and reboot the system.

After rebooting the system, we must set up the basic parameters of the VNC service. The most important thing is to enter an effective password, which will protect the VNC service against unauthorized access. The next step is turning off the "Enable Java Viewer" option (since this option requires two separate SSL tunnels, it won't be used), as is shown in the image below.



After we finish configuring the VNC server, we should download the VNC client software (vncviewer.exe) and place it on the host that will be the client of the VNC.

At this point we should check if the VNC client can establish a connection to the VNC server. If the programs are able to communicate with each other, we can finish the configuration.

Because the VNC server should be accessible only by a locally installed Stunnel utility, the following entry should be added to the Windows Registry on the VNC server:

Key: HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3Name: LoopbackOnly
Type: REG_DWORD
Value: 1

The above entry makes it possible to use loopback connections, and it limits listening on the 5900/tcp port only to the localhost (127.0.0.1). Thanks to that, the VNC server will not be directly accessible from the computer network. In addition, if we don't want users to shut down the VNC service on the VNC server host, the following entry should be added to the Registry:

Key: HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\Default
Name: AllowShutdown
Type: REG_DWORD
Value: 0

In order to activate the above changes, we must restart the VNC service.

Stunnel

The next step is installing the Stunnel utility. In order to perform that, we should download it and place it on the VNC server and client, in the directory: C:\Program Files\Stunnel. We should also download two libraries that are required by Stunnel: libeay32.dll, libssl32.dll.

If we want the Stunnel to start automatically when the system boots up, the following entry should be added to the Windows Registry:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Name: Stunnel
Type: REG_SZ
Value: "C:\Program Files\Stunnel\stunnel-4.04.exe"

OpenSSL

At the present times the OpenSSL library is installed by default in most Linux distributions, mainly because it is required by OpenSSH. However, a few people know that there is a version of OpenSSL ported to MS Windows that has almost identical functionality. Because the article is devoted to the MS Windows platform, we'll use this version of OpenSSL.

In order to install and configure the OpenSSL software, we must perform the following steps:

  1. On the additional, trusted host (Windows 2000, NT or XP) - if possible, not connected to the computer network at all - we should install the OpenSSL software. The binary version of the OpenSSL (openssl.exe) can be downloaded from the Stunnel Web site. Just like in case of the Stunnel program, we also have to download two libraries: libeay32.dll and libssl32.dll. The downloaded software must be placed in the C:\Program Files\OpenSSL directory.
  2. Two other files must also be downloaded: the configuration file, openssl.conf and the ca.bat script, which will be used to generate certificates. The above files should be placed in C:\Program Files\OpenSSL directory. The final content of that directory should be similar to the following:

The next step is to generate certificates, which will be used to authenticate VNC servers and clients.

Keys and Certificates Generation

Certification Authority

The process of generating certificates should be started by generating a private/public key pair and certificate for the trusted third party, or CA (Certification Authority). The CA's private key will be used later to sign the VNC server's and client's certificates. The CA's certificate will be placed on all VNC servers and clients. Because the CA's private key is one of the most important elements of every PKI implementation, the key must be protected by strong pass phrase and kept away from regular users.

In order to generate the public/private key pair and certificate for the CA, we should run the ca.bat script in the following manner:

C:\progra~1\OpenSSL\ca genca

After performing the above steps, the CA's certificate will be stored in the C:\CA\CAcert.pem file, and the private/public key pair will be stored in the C:\CA\private\CAkey.pem file.

VNC Server

The next step is to generate private/public key pair and certificate for the VNC server:

C:\progra~1\OpenSSL\ca server

As the result, the following files will be created in the C:\CA\temp\vnc_server directory:

  • server.key - private/public key pair
  • server.crt - server's certificate
  • server.pem - server.key + server.crt (required by Stunnel)

It is worth to emphasize that the server's private key is not secured by the pass phrase. The option of protecting the private key by the pass phrase hasn't been used at this point, mainly because of the Stunnel, which doesn't have the possibility to supply pass phrases. Thus, private keys secured by pass phrases cannot be used by the Stunnel utility.

VNC Client

The last step is to generate the public/private key pair and certificate for the VNC client:

C:\progra~1\OpenSSL\ca client

Just like in the previous step, the following files will be created in the C:\CA\temp\vnc_client directory:

  • client.key - private/public key pair
  • client.crt - client's certificate
  • client.pem - client.key + client.crt (required by Stunnel)

Stunnel Configuration

VNC Server

Before we try to establish a secure connection between the VNC server and client, we must configure the Stunnel utility, and equip it with all the required keys and certificates.

In order to perform that, we should create a "C:\Program Files\Stunnel\stunnel.conf" file with the following content:

CAfile = CAcert.pem
CApath = certificates
cert = server.pem
client = no
verify = 3

[vnc]
accept = 443
connect = 127.0.0.1:5900

The above configuration will cause all incoming connections to the 443/tcp port to be forwarded to the local port 5900/tcp. Of course, this will be done only when the client proves his identity by presenting a valid, signed certificate, which must also be present in the local "certificates" directory ("verify = 3" enforces certificate authentication of both sides).

The next step is to place both the CA's certificate (C:\CA\CAcert.pem) and VNC server's private/public key pair and certificate (C:\CA\temp\vnc_server\server.pem) in the C:\Program Files\Stunnel directory.

Finally we must also load the VNC client's certificate. In order for the Stunnel utility to find the certificate during the authentication process, we must change its name as follows (the following commands must be run on the server on which the certificates was generated; the value should be replaced by the result of the "openssl x509" command):

cd C:\CA\temp\vnc_client
C:\progra~1\openssl\openssl x509 -hash -noout -in client.crt
value
copy client.crt value.0

The file value.0 should be placed in the C:\Program Files\Stunnel\certificates directory.

The final content of the C:\Program Files\Stunnel directory should be similar to the following:

VNC Client

Generally, the configuration process of the Stunnel utility installed on the VNC client host is very similar to the one, described in the previous step.

First, we must create a "C:\Program Files\Stunnel\stunnel.conf" file with the following content:

CAfile = CAcert.pem
CApath = certificates
cert = client.pem
client = yes
verify = 3

[vnc]
accept = 127.0.0.1:5900
connect = VNC_server_IP_address:443

The next step is to store both the CA's Certificate (C:\CA\CAcert.pem) and VNC client's private/public key pair and certificate (C:\CA\temp\vnc_client\client.pem) in the C:\Program Files\Stunnel directory.

Finally, we must change the name of the VNC server's certificate file in the way as follows:

cd C:\CA\temp\vnc_server
C:\progra~1\openssl\openssl x509 -hash -noout -in server.crt
value
copy server.crt value.0

and store it into the C:\program files\Stunnel\certificates directory.

The final content of the C:\Program Files\Stunnel directory should be similar to the following:

Testing the Connection

At this point all the software is configured and ready to use. In order to test it, we must run the Stunnel utility both on the server and client, and run the VNC service.

Then, on the VNC client host we must run vncviewer.exe. As the remote address we should enter: 127.0.0.1. If everything is configured correctly, the connection with the VNC server should be established, and both Stunnel tools should show the following information:

On the VNC server:

On the VNC client:

If, for some unknown reason, the attempt to establish a connection fails, we should increase the Stunnel log level, and try to find the reason of failure. In order to perform that, the following global directive should be added to the stunnel.conf file:

debug = 7

Then we should restart Stunnel and try to establish connection again.

Reverse Connections

The above method works fine, but only when the VNC server host has a valid, external IP address or is placed in the same LAN, as the VNC client host. But what if the VNC server is placed beyond the NAT or incoming connections to this host are dropped by the firewall?

It appears that, thanks to the "/listen" option of the VNC client, it is possible to omit such limitations. In the traditional client-server technology, the client initiates the TCP/IP connection. However, nothing stands in the way. Not the client, but the server initiates the connection. The only condition is that the server must be able to connect to the client. In practice, this means that the client host cannot be placed beyond the NAT, and eventual firewalls must not block the incoming connection. Of course, the software must also be written in a way that makes it possible to perform such operations.

As I have mentioned before, the VNC has the possibility to establish reverse connections. In order to make a use of that option, the following changes should be applied to the stunnel.conf file on the VNC server:

CAfile = CAcert.pem
CApath = certificates
cert = server.pem
client = yes
verify = 3

[vnc]
accept = 127.0.0.1:5500
connect = VNC_client_IP_address:443

and on the VNC client:

CAfile = CAcert.pem
CApath = certificates
cert = client.pem
client = no
verify = 3

[vnc]
accept = 443
connect = 127.0.0.1:5500

It is worth noting that roles of Stunnel utilities are now inverted. The Stunnel on the server side becomes an SSL client, and the Stunnel on the client side - an SSL server.

There is also a change in the way of establishing a connection by the VNC software. In this method, the vncviewer.exe should be run first, in listening mode (Start Menu ® RealVNC ® VNC Viewer ® Run Listening VNC Viewer). Then, on the VNC server, we must use the "Add New Client" option as follows:

After performing these steps, the connection between the VNC server and the client should be established.

The above solution is a very effective way of omitting NAT limitations; however it has one very important disadvantage: in order to establish a reverse connection, manual intervention on the server side is required. The question arises whether there is a way to establish such a connection without manual intervention?

It appears that it is possible. In order to perform that, it suffices to use the built into MS Windows operation system "Task Scheduler Service", to solve the problem of manual intervention. The screenshot below shows the example configuration of the "Task Scheduler", in which the VNC server tries to establish a connection with the VNC client every day between 9 a.m. and 9 p.m, in 10-minute intervals. If we want to establish a connection with the VNC server, all we need to do is run the VNC in listening mode and wait until the server connects. In 10 minutes at the most, the graphics console will be "sent" to us.

The method descried above is undoubtedly very limited and disadvantageous. Apart from them, however, the method presented is an interesting way to manage a host, to which we cannot establish a direct connection.

Summary

There are a lot of programs for MS Windows remote management. Unfortunately, a large number of them either don't secure transmitted data, or their implementation comes with additional, often significant costs. The method outlined in the discussion above is a free solution for secure remote MS Windows management. Thanks to the SSL protocol and authentication based on certificates, the described solution has a chance to compete with commercial solutions not only in affordability, but also in effective security.

-Abhiz

Tuesday, August 12, 2008

Browser toolbar to check site security

LAS VEGAS -- Security researcher David Maynor hopes that his credit-card data has been stolen for the last time.

Tired of insecure sites losing his data, the chief technology officer at Errata Security, said the company plans to release a toolbar for major browsers that will check visited Web sites for obvious security issues. The add-on software will check for twenty signs -- such as the version numbers of the Web server and the content management system -- to make sure that the site has no obvious flaws.

"You don't think about checking that stuff every time you go to a Web site," Maynor said. "If you go to a site with this toolbar, you will know whether it's vulnerable" but not necessarily if it's secure.

Other browser plug-ins have attempted to solve the site security issues. Both SiteAdviser, owned by McAfee, and Web security firm Finjan have add-on software that will rate Web sites in terms of security. Microsoft, Mozilla and Opera have all added anti-malware technology to their latest browsers.

The software will not be probing sites, but making its judgement based on the content returned by the site to normal Web browsing queries, he said. If he had been using similar software, it might have alerted Maynor to the security problems of one Web site which allowed online criminals to steal a cache of credit-card data, among them the researcher's own information, he said.

The researcher, known for his controversial presentation of a flaw in wireless drivers, said Errata will release the toolbar, dubbed Barrier, on Monday. The company will aggregate usage statistics from the toolbars to help improve security, Maynor said.

-Abhiz