Tuesday, 21 October 2014

The Five Most Important Concepts of Computer Security

It seems like every day that there is some new security threat to that the computer systems that we rely upon. Those of us that are responsible for maintaining and ensuring security of systems need to be aware of how to approach these advanced threats. This article describes five important concepts to assist with keeping your computer systems secure.

#1Understand Your System

When you start the engine of your car you know how it _should sound. If there is a noise you do not recognize it sets of alarms that you mentally proceed with to decide on the next course of action. In the same way we can approach all our systems in the same manner. For example if you run the top command on any server what is the expected memory and CPU usage.

For any system unless you _know what is expected on your system its difficult to recognize when there is an issue.

#2 Principle of least privilege

This is a principle that has been around a long time but is vital to ensuring systems do not get compromised. In essence this principle means that a user is _only given the rights required to perform a job and no more. For example a backup use should only be allowed to have rights to backups and not for example to install software.

Other options can exist for users like using sudo or even providing a VM that a user can use for performing certain operations. For some situations using chroot or a jail environment may mitigate some effects for privilages.

#3 Defence in protection rings

For security having multiple layers of protection is vital. Often called protection rings these are methods to protect data by having many layers of security. Looking back to medieval times castles had many levels of defences e.g. moats, high locations, portcullis etc. Its important to have more than one defence e.g. not just a firewall or anti virus.

An example of 4 rings of defence are :

A). Block network based attacks
B). Block host based attacks
C). Eliminate security vulnerabilities : this will include removing any unrequited services which in turn reduces the attack surface
D). Safely support authorized users

#4 Detection is vital

In the end having all the defences in the world is one thing but detection is a must. The difference between one hour and one moth for a detection of a breach in your system is massive. Having an Intrusion Detection System (IDS) is like having a burglar alarm for your computer network. It monitors the flow of traffic and enables information systems to deal with the attacks. This system protects your environment by identifying, logging, reporting and sending alarm whenever there is a probe.

#5 Know your enemy

We can try to guess what hackers are attempting to get up to in our systems but knowledge is power. To stand any chance of protecting your system you need to

- First understand know who your enemies are
- How they might they attack
- When they might attack
- Potentially most important of all, why they attack.

Saturday, 19 July 2014

Check your Public IP address Geo Location using the command line on Linux

If you are using VPN connections it can be important and useful to be able to check your current public IP. For me going to one of the many web sites that offer such a service is slow. As always on Linux the command line is the fastest way. Searching around I found geoiplookup which did exactly what I wanted. It uses the GeoIP library and database to find the Country that an IP address or hostname originates from.


$ geoiplookup

Displays the country that originates from e.g.

NL, Netherlands

You can have a simple bash script like :

echo "Current Public IP is :"
curl -s checkip.dyndns.org | sed 's/.*IP Address: \([0-9\.]*\).*/\1/g'
sleep 1
PUBLICIP=$(curl -s checkip.dyndns.org | sed 's/.*IP Address: \([0-9\.]*\).*/\1/g')
geoiplookup $PUBLICIP

To install on Arch :

$ sudo pacman -S geoip

To install on Ubuntu, Linux Mint or Debian

$ sudo apt-get install geoip-bin

By default the IP to country database is located at /usr/share/GeoIP/GeoIP.dat

Monday, 14 July 2014

How to stop embedded images tracking your location on Gmail

You may think that the only way people can tell if you opened an email is the good old 'read receipt' but there is another more subtle method. That method is by using embedded images to track individuals. Currently this method is used by phishers, marketers and spammers to track where people open emails and to track other useful information.

The most common method used for email tracking is embedded images. The process is relatively simple :

- Email is created in HTML

- Included is a reference on a remote server that the sender owns or has access to

- Each email can be given a unique URL to track what individual opens emails

- Contained within the HTTP request from your email client to obtain the referenced image will be your IP address (which can track your location unless you are on a VPN) to at least to your city, your browser and Operating System.

All very useful information that can be used to draw a number of conclusions about the reader :

- Where was the email opened

- What time was the email opened

- How long from when the email was sent was it opened

- What type of device was the email opened on

- Prove that it made it past any spam filters in place

- Show that the email is valid and in active use

Gmail Solution

With Gmail like most privacy features from Google you must opt-out which can be done as follows :

Browser Client

- Select Gear icon then Settings

- Under the General tab look for Images (Fourth down currently in the list)

- Select 'Ask before displaying external images'

- Scroll to bottom of screen

- Select Save Changes


- Within the Gmail App on Android

- Select menu on left and scroll down to the bottom (may take a while if you have lots of labels) until you see Settings   

- Select each email address in turn (if your have multiple) and scroll to bottom and select Images

- Change to Ask before showing

Sunday, 6 July 2014

OpenWRT : Use Google Public DNS

By default you will be using the DNS servers supplied by the ISP you subscribe with. With OpenWRT its easy to change the DNS service that you use to an alternative option. A popular option is the Google Public DNS service.

Advantages of using Google's DNS are :

  • Faster web browsing
  • Improved security
  • No redirection
Note - depending on your location it could be slower. Your geographic location will determine the closest Google DNS server you will be directed to.

In OpenWRT to change is a simple process

  • Open Luci web interface
  • Select 'Network' -> 'DHCP and DNS'
  • Locate 'DNS forwardings'
  • Enter ''
  • Press '+' button to enable a second entry
  • Enter ''
  • Select 'Save & Apply'
It should look similar to the following :

Saturday, 21 June 2014

Using Wireshark to evaluate a packet capture

The tool Wireshark is a fantastic tool for both capturing traffic and evaluating traffic. I typically capture traffic using the Linux command line tool 'tcpdump' but like to use Wireshark for evaluation. In this post I will be focusing on evaluation of packet captures.

If you can quickly view packets of interest e.g. insecure http connections you can right click on the packet and select 'Follow TCP Stream' which can quickly show you the traffic flow.

With a packet capture you have open in Wireshark there is a Filter box along the top which you can use to find packets of interest. I find the filter 'frame contains <search term>' can yield interesting results e.g.

frame contains Password
frame contains password
frame contains login
frame contains test.com

Another method for example to ensure a password is not being sent over clear text is to in Wireshark select Edit -> Find Packet and in the resulting window :

  • Select String under Find
  • In the Filter field enter a password of interest e.g. secret
  • Under 'Search In' select 'Packet bytes'
  • Select Find

At the very bottom of the screen if you see 'No packet contained that string' all is good and your password was encrypted before being sent over the network :)

Note : this tool should not be used in a malicious way. It should only be used to ensure your own environment is safe where you have permission to run it e.g. your local network. 

OpenWrt tcpdump packet captures for traffic evaluation

Its really useful to be able to capture traffic on your local network. One common use case would be capturing traffic from a mobile application that you believe may _not be secure. With OpenWrt as our router we can install and use tcpdump to capture the traffic.

I have created a non root account as is best practise to many commands will require 'sudo' to enable the correct privileges.

First we need to update the package manager then install tcpdump :

$ sudo opkg update
$ sudo opkg install tcpdump

Now we can run tcpdump and capture the traffic in a file for evaluation.

Run ifconfig to identify the bridge on your network which typically will have teh IP address :

$ ifconfig

In my case the adaptor is  'br-lan ' which the devices being provisioned by OpenWRT route through.

Check the amount of free disk space you have before writing to file. In this example I have sufficient free space in /tmp.

$ df -h

We can now run a packet capture as the sudo user with the following example syntax changing  'Host IP address' to the IP of your device e.g. phone and 'nameof capture' as an appropriate name.

$ sudo tcpdump -i br-lan -vvv host <Host IP address> -w <nameof capture>.pcap

Generate some network traffic on your device and when complete  press 'Ctrl + C'.

You can then scp the file to your PC for evaluation using a tool like wireshark. Example syntax :

$ scp <nameof capture>.pcap user@<PC IP>:~/tmp

On Arch Linux you can install wireshark with

$ pacman -S wireshark-gtk

Sunday, 13 April 2014

How to be secure using the Internet - a simple guide

With the recent publicity surrounding the Heartbleed bug in the media it has highlighted the importance of being secure on-line. Aside from the Heartbleed bug there have been many high profile companies which have had major security issues with massive amounts of credit card records stolen. Target and Adobe are two of the most high profile examples. In the case of Adobe the numbers of users affected is believed to be 38 million.

On-line security can feel like an impossible task but in many ways its similar to a car. There are a number of things you can do to reduce the risk you will have your car broken into. For a car not leaving valuables on display and parking in a well lit area are things we take for granted as common sense. In this article I am going to discuss some simple strategies to help keep you safe on-line.

1. Software Updates

This is the easiest and most underestimated task. If you frequently feel getting updates for Java, Windows or other software is annoying its important to realize that its vital these updates be applied ASAP as they usually contain major security fixes to recently found vulnerabilities. The same is true on any device that is connected to the Internet e.g. smartphone, tablet, TV.

2. Password Manager

Best practise for passwords on the Internet is always to use a different and difficult to guess (numbers + non standard characters) passwords. Over time with more services on the Internet this becomes impossible as how can you remember over 100 unique passwords? The answer is to use a Password Manager. There are many options available on the market and you can research the best password manager for your needs. Many password managers have security alerts and password generators as features.

3. Multiple accounts

Have multiple email, Facebook, Twitter and similar accounts that you can use when you are required to sign up for a service or promotion. In this way it will ensure that your primary email and Facebook account will not be targeted by spam. Also if the service you sign up for is hacked they will not have your primary account information.

4. Personal information

On social networking sites like Facebook set privacy settings as high and do not share birth dates (including the year) as this can make it easier to answer security questions. If you do not require to provide your email or Facebook account to sign up to a new service create a new unique username and password to protect your identity.

5. Restrict use of public WiFi

Never use public WiFi for any financial transactions if at all possible. Anyone who is in the same coffee shop as you are could potentially access your information and you would never know. Restrict usage just for information e.g. Google or a news web site.

6. Be on the lookout for Phishing scams

Be careful on emails that are sent to you and do not open any attachments from people you do not know. Be careful with emails relating to financial information and account information resets.

7. Always use HTTPS when browsing  

When browsing the Internet always use the secure https:// rather than http:// version of a web site/. This ensures that your communications are encrypted. A good plugin that will automatically perform this is HTTPS Everywhere from the Electronic Frontier Foundation.

HTTPS Everywhere - great simple browser extension to keep data safe

Over the weekend at Linux Fest North West I attended a great talk given by the Electronic Frontier Foundation on Internet security. It touched on a few themes but the one I found of most benefit was a free extension called HTTPS Everywhere that they developed.

The premise is that you likely go to a web site direct from a search engine and just click on the link that appears. You may not be aware there is an https version of that web site. The extension will automatically redirect you to the HTTPS version of the site, even though you clicked on the HTTP link.

One example given in the talk was Wikipedia who have a HTTPS version of the site. Why would you want to use a secure version of a site that hosts public accessible inforemation? The reason is you would like to protect your privacy e.g. looking up symptons for a disease or party political related information.

With the browser extension for Firefox or Chrome installed when you open an HTTP link that the extension lists in its DB, it automatically redirects to the HTTPS site.

I have been using it for a week now and its great. You can download it here for Firefox and its also in the Chrome store. There is an extensive FAQ that gives more detailed information if you are interested.

You can now enjoy a more secure web web browsing experience :)

Capture packets in Ascii and grep on traffic

There is so many different features to tcpdump for packet captures which can be used in many situations. Recently I wanted to capture traffic and grep on a certain string in the packet.


  •  On Linux Mint or Ubuntu :
$ sudo apt-get -y install tcpdump


  • To capture all http web traffic (port 80) containing 'www.wikipedia.org'

$ sudo tcpdump -i eth0 -A -nn -vvv -s 0 port 80 | grep -e 'www.wikipedia.org'

  • Either open a browser or use 'wget'
 $ wget http://www.wikipedia.org

  •  The capture will show for example
 $ sudo tcpdump -i eth0 -A -nn -vvv -s 0 port 80 | grep -e 'www.wikipedia.org'
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
Host: www.wikipedia.org
<body id="www-wikipedia-org">
<form class="search-form" action="//www.wikipedia.org/search-redirect.php">

  • It can be more useful to direct to a file :
  $ sudo tcpdump -i eth0 -A -nn -vvv -s 0 port 80 | grep -e 'www.wikipedia.org' > $HOME/tmp/wikipedia.tmp

  •  Note on some Linux systems you may need to direct all ASCII traffic to a file as the redirect after the grep may not work

 $ sudo tcpdump -l -i eth0 -A -nn -vvv -s 0 port 80 > $HOME/tmp/wikipedia.tmp

  •  To sort by uniq values and count the amount of occurrences in columns
$ grep "wikipedia.org" wikipedia.tmp | grep href | sort | uniq -c | sort -nr | head -n 2

1 <span lang="no">Norsk (<a href="//no.wikipedia.org/" lang="nb">bokm..l</a>&nbsp;... <a href="//nn.wikipedia.org/" lang="nn">nynorsk</a>)</span>&nbsp;...
1 ..&..O.. href="//chy.wikipedia.org/" lang="chy">Ts..hesen..stsestotse</a>&nbsp;...

Generate random MAC Address with bash on Linux

It can be useful to be able to quickly generate a Random MAC address with virtual environments like KVM. The following is a method which always sets the first octet as 00 which can be set as required. 

$ MACAddress=$(dd if=/dev/urandom bs=1024 count=1 2>/dev/null|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\)\(..\).*$/00:\2:\3:\4:\5:\6/')

$ echo $MACAddress

How to install execstack on Ubuntu and Arch Linux

Execstack is a great tool for learning and training on Linux. It is  a program which sets, clears, or queries the executable stack flag of ELF binaries and shared libraries. When I was looking to install it I took me a bit to find which package to install it in. You can install with :


$ sudo apt-get install prelink

Arch Linux

$ sudo pacman -S prelink

Thursday, 6 February 2014

Stegdetect automated tool for detecting steganographic content in images

Stegdetect is an automated tool for detecting steganographic content in images. It can be obtained from the Arch Linux AUR (Arch User Repository) and required GTK. The tool :
  • Analyses image files for steganographic content
  • Runs statistical tests to determine if steganographic content is present
  • Attempts to find the system that has been used to embed the hidden information
An example would be using it with the famous 3301 image :

$ stegdetect 3301.jpg
3301.jpg : appended(61)<[nonrandom][ASCII text][TIBERIVS CLAVDIV]>

This shows 61 appended bytes of ASCII text and the letters. A tail of the file shows :

$ tail --bytes=61 3301.jpg
TIBERIVS CLAVDIVS CAESAR says "lxxt>33m2mqkyv2gsq3q=w]O2ntk"

Note : the '-c' option of tail  could have been used in place of '--bytes=61"

This is a shift or ceasar cipher with ”lxxt>33″ being “http://&#8221;. This then allows the substitution of 4 characters to be deduced leading to