Don’t run “strings” against files…

2014.10.27

From http://lcamtuf.blogspot.com/2014/10/psa-dont-run-strings-on-untrusted-files.html:

Many shell users, and certainly most of the people working in computer forensics or other fields of information security, have a habit of running/usr/bin/strings on binary files originating from the Internet. Their understanding is that the tool simply scans the file for runs of printable characters and dumps them to stdout – something that is very unlikely to put you at any risk.

It is much less known that the Linux version of strings is an integral part of GNU binutils, a suite of tools that specializes in the manipulation of several dozen executable formats using a bundled library called libbfd.

Other well-known utilities in that suite include objdump and readelf.Perhaps simply by the virtue of being a part of that bundle, the strings utility tries to leverage the common libbfd infrastructure to detect supported executable formats and “optimize” the process by extracting text only from specific sections of the file. Unfortunately, the underlying library can be hardly described as safe: a quick pass with afl (and probably with any other competent fuzzer) quickly reveals a range of troubling and likely exploitable out-of-bounds crashes due to very limited range checking

Check the site for POC code. It’s old and it’s nasty.

Categories : Security

Configuring cacti for 1-minute polling

2014.10.24

Trickier than it sounds, just because there’s lots of moving parts. Here is a handy guide that gets all the notes right: http://www.tolaris.com/2013/07/09/cacti-and-1-minute-polling/

Categories : HowTo

How to Manually Update Bash to Patch Shellshock Bug on Older Fedora-Based Linux Systems | Steve Jenkins’ Blog

2014.10.23
Categories : Security
Tags :     

Juniper MACSec Notes

2014.10.16

MACSec is kind of neat (TL;DR for the impatient: layer-1 crypto on links).

Media Access Control Security (MACsec) is an industry-standard security technology that provides secure communication for all traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly connected nodes and is capable of identifying and preventing most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks. MACsec is standardized in IEEE 802.1AE.

MACsec allows you to secure an Ethernet link for almost all traffic, including frames from the Link Layer Discovery Protocol (LLDP), Link Aggregation Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP), and other protocols that are not typically secured on an Ethernet link because of limitations with other security solutions. MACsec can be used in combination with other security protocols such as IP Security (IPsec) and Secure Sockets Layer (SSL) to provide end-to-end network security.

CLI config:

#create an association:
set security macsec connectivity-association ca1

#choose a mode (static cak recommended — see here for why)
set security macsec connectivity-association ca1 security-mode static-cak

#ckn needs to be a 64-digit number in hex, but any empty space is padded w/ 0’s
set security macsec connectivity-association ca1 pre-shared-key ckn deadbeef99

#cak needs to be a 32-digit number in hex, but any empty space is padded w/ 0’s
set security macsec connectivity-association ca1 pre-shared-key cak deadbeef11

# set to 255 to make it “less likely” to be chosen as key server, 0 for “more likely”
set security macsec connectivity-association ca1 mka key-server-priority 0

# set to 6000 for high-traffic environment. default to 2000.
set security macsec connectivity-association ca1 mka transmit-interval 6000

#this leaves headers unencrypted for troubleshooting, set to 0 for full encryption, set to 50 for unencrypted ipv6 headers
set security macsec connectivity-association ca1 offset 30

# replay protection, set to 0 to enforce all packets coming in order
set security macsec connectivity-association ca1 replay-protect replay-window-size 5

# exclude a protocol
set exclude-protocol lldp

#enable macsec
set security macsec interfaces xe-0/1/0 connectivity-association ca1

Troubleshooting:
show security macsec statistics interface xe-0/1/0 detail

additional reading:
http://www.juniper.net/techpubs/en_US/junos13.2/topics/concept/macsec.html
http://www.juniper.net/techpubs/en_US/junos13.2/topics/reference/command-summary/show-security-macsec-statistics.html
(Cisco version: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_1_se/configuration/guide/3750xcg/swmacsec.pdf)

 

There’s a Cisco version of this here: http://david.piniella.net/2015/11/cisco-macsec-notes/

Categories : HowTo  Networking  Security

Google Online Security Blog: This POODLE bites: exploiting the SSL 3.0 fallback

2014.10.14

With This Tiny Box, You Can Anonymize Everything You Do Online | WIRED

2014.10.13
Categories : News  News  Privacy  Security

Linux / Unix / VMS equivalencies

2014.10.02

So you’re dumped in Brazil (VMS) and all you speak is English (Windows) and Spanish (Linux), how do you get by?

A universal translator, of course: http://bhami.com/rosetta.html

VMS

There’s also a VMS to Unix cheat-sheet: http://www.physnet.uni-hamburg.de/physnet/vms-unix-commands.html

and another: https://www.mpp.mpg.de/~huber/vmsdoc/unix_vms_cmd_xref.html

setting security/ownership in VMS: http://labs.hoffmanlabs.com/node/1806

tiny gotchas that you might not expect:

  • case insensitive
  • no
  • VMS has no set mount points, so you have to explicitly state which disk is being referenced in a command:
$ create/directory [.tmp]
$ copy dsa0: [.tmp]x.tmp
$ copy dsa0: [.tmp]y.tmp
$ copy dsa0: [.tmp]z.tmp

This creates a directory, .tmp, and three files inside it, x.tmp, y.tmp, z.tmp.

AIX

AIX Cheat-sheet: http://bigcalm.tripod.com/aix/handycommands.htm

AIX Cheat-sheet: http://www.tablespace.net/quicksheet/aix-quicksheet.pdf [PDF]

AIX Cheat-sheet: http://www.vmexplore.com/aix-commands-cheat-sheet/

AIX documentation: http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp 

AIX Admin’s blog, full of AIX tips and tricks: http://nixys.fr/blog/?tag=aix (I haven’t used it but it’s the type of quick and to-the-point howto that I find most useful.)

a text file cheat-sheet — quick and dirty, no-nonsense: http://www.pimpworks.org/ibm/aix.txt

 

SOLARIS

The biggest caveat when going to Solaris from Linux is that a lot of the tools you expect are missing (ie, not installed by default) or different (ie, you’re expecting GNU versions). The easiest way to deal is to install the gnu tools and set them in your path. That said, Solaris 10 is less of a PITA than older versions (9, 8….or heaven forfend: SunOS).

Here is a fast and dirty “why doesn’t this work / how do I do this?” for Solaris: http://sysunconfig.net/unixtips/solaris.html

IBM redbooks, learn it, love it: http://www.redbooks.ibm.com/redbooks/pdfs/sg247186.pdf [PDF]

Lesser Known Solaris Features: http://www.c0t0d0s0.org/pages/lksfbook.html

 

Tags :           

Holder urges tech companies to leave device backdoors open for police – The Washington Post

2014.10.01

Attorney General Eric H. Holder Jr. said on Tuesday that new forms of encryption capable of locking law enforcement officials out of popular electronic devices imperil investigations of kidnappers and sexual predators, putting children at increased risk.

via Holder urges tech companies to leave device backdoors open for police – The Washington Post.

 

TL;DR: “we need to snoop on everything, for the kids”. Shameless, spineless, embarassing.

Categories : News  News  Privacy

The Criminal Indictment That Could Finally Hit Spyware Makers Hard | WIRED

2014.10.01

The indictment this week of the man behind an app designed for surreptitiously monitoring cellphone activity is only the second federal case filed against someone involved in the commercial sale of so-called spyware and stalkingware. But the case could have negative implications for others who make and sell similar snooping tools, experts hope.

The case involves StealthGenie, a spy app for iPhones, Android phones and Blackberry devices that until last week was marketed primarily to people who suspected their spouse or lover of cheating on them but it also could be used by stalkers or perpetrators of domestic violence to track victims. The app secretly recorded phone calls and siphoned text messages and other data from a target’s phone, all of which customers of the software could view online until the government succeeded to temporarily close the Virginia-based site (.pdf) that hosted the stolen data.

via The Criminal Indictment That Could Finally Hit Spyware Makers Hard | WIRED.

Categories : News  News  Privacy