Tag Archives: Ubuntu

Bodhi drop

Posted on 2013-01-02 | Leave a comment
Jesse Ventura

The Body, not The Bodhi

I started using Bodhi Linux a couple of months ago when the Linux Format magazine shipped it on their DVD. I liked the extremely minimalistic approach: the default install only includes the core OS, a browser, and the Enlightenment window manager that inspires its name. Happily, my Dell Precision M4600 ran it just fine: no problems with networking, sound, or anything.

Even with all that said, though, I’ve decided to move back to Xubuntu. Two primary reasons drive this decision.

First, the repositories feel insecure. Much like the rest of Ubuntu, they don’t use HTTPS (which probably makes sense given the state of SSL certificate checking by most non-browser applications), but they also intentionally do not sign the packages. This strikes me as a bad idea because now you have absolutely no assurance whatsoever that the package you get is what you expected to get. Using encryption properly doesn’t solve all security problems but we can’t handwave it away, either. Other than this, the distribution itself has worked pretty well thus far.

Second, and perhaps more pragmatically, the rest of my family already uses Xubuntu (because I don’t want to deal with Unity or Amazon lenses). It looks nice for them, does everything they want without much extra work on my part beyond installing Google Chrome, and I just find it easier to stick with one. Yeah yeah, monoculture and homogeneous networks. But it makes my life easier, and I’ve reached the point where running Linux has less to do with cool factor or trying new things and more about getting stuff done quickly and effectively with a minimum of inefficiency. I don’t see moving them to Bodhi as the solution, either.

→ Leave a comment

Posted in Notes

Tagged , , , ,

Introduction to the Collective Intelligence Framework

Posted on 2012-05-07 | 5 Comments

Just back off dudeCIRTs and related organizations often handle incident detection as well as response. Both of these roles produce and consume threat intelligence in different ways. For example, we often want to correlate our network traffic with OSINT indicators (known bad IP addresses and URLs, MD5 hashes of suspicious files, etc.) I’ve started looking at the Collective Intelligence Framework as a way to fulfill these needs. CIF development is sponsored by the REN-ISAC and National Science Foundation, with most of the coding (and everything else!) handled by Wes Young. Everything is open source for those of us who like – or need – to hack directly on the code.

In this article, I’ll explain CIF, give some usage examples, and discuss test deployment scenarios.

Understanding CIF

From the perspective of a user, CIF allows you to run queries against many data sources at once. If you have other private data sources available, particularly via XML (RSS), JSON, or in a file (e.g. CSV), you can incorporate those, as well as additional OSINT sources. CIF comes preconfigured for:

Use cases include manually querying the database for specific indicators (e.g. “do we have any records for this IP address?”) as well as pulling feeds of various sorts for use by security systems (e.g. “what URLs should we block at the proxy?”). CIF includes concepts of severity and confidence as well as privilege. This allows you to provide feeds of high-confidence public data to some systems while still allowing investigators to query private, unconfirmed data.

Essentially, CIF ingests data – typically on an hourly or data basis, depending on the source – indexes it on the fly for performance reasons, performs correlation analytics (e.g. so that a URL also turns into domain and IP address information), and then makes it available in feeds via various output plugins. These plugins include tables and HTML for viewing by a user, but also IPtables rules, Snort rules, JSON, and CSV for processing by other security systems.

Usage examples

Everything below comes from the Perl client. I haven’t yet dealt with the Python client, much less hacked on it, but that’s coming Soontm.

cif -q infrastructure/malware -c 50 -s medium

gives a fairly large list of IP addresses associated with malware. (I used medium severity and 50% confidence in these examples.)

Even if you don’t use a proxy server, you might find CIF useful for checking suspicious URLs:

cif -q url -c 50 -s medium -p snort

You now have a list of Snort rules to pull into your IDS.

Or if you have your own list of IP addresses to check, such as when an ongoing case has new indicators:

you can put them in a file and query each of them.

for f in `cat hostlist.txt` ; do cif -q $f >> specific-ip.txt; done

This yields another list. You might see a few lines in that example with a “private” restriction and impact as “search”. This happens because, by default, CIF will log every query for a specific indicator. A number of searches, such as from other investigators, may have significance apart from any data. However, if you don’t want CIF to log a query, just use the “-n” parameter.

If you’d like to play with it some more, contact me for an API key and the address of my semi-public CIF server. Twitter or email both work fine.

Appendix: CIF on the Amazon cloud

Amazon Web Services provide a decent platform for testing CIF or running a public instance like mine. The following assumes some familiarity with Linux administration and at least a basic understanding of the Elastic Compute Cloud (EC2).

You can start with a small instance for the installation, but you’ll quickly want to move to a medium instance at least. I run a large instance using the Ubuntu Cloud Guest server image. In general, follow the server install instructions for CIF. You’ll also want to note the specifics for Ubuntu as they contain a few workarounds you will need. Allocate an Elastic IP and register it in DNS someplace, such as with Amazon Route 53. For the Security Group, only add HTTPS and SSH. You won’t need anything else, and I recommend leaving it at this minimal state for security purposes. You’ll also need an Elastic Block Store. While you can start with 10GB, expect that to grow a few GB per week, so you’ll need to resize from time to time or create a larger volume at the beginning. While not required for CIF installation, I can’t recommend enough that you use git to manage config files. Srsly.

When installing Postgres, note that “peer” may appear in the original file instead of “ident sameuser”. Also, I did not use the values in CIF doc, as postgres didn’t like them. I left everything at the defaults except:

work_mem = 512MB
checkpoint_segments = 32

When setting up BIND9, first check /etc/resolv.conf for the IP addresses you should use as forwarders.

→ 5 Comments

Posted in Notes

Tagged , , , , ,

Reminder to self: encryption

Posted on 2011-09-18 | Leave a comment

'Enigma German' by Anthony Catalano

Encryption isn’t just a good idea. It should be mandatory practice for anyone who cares at all about security and privacy.

So as a reminder to myself: use Truecrypt more frequently. Even on Ubuntu, it’s insanely easy and will help you sleep better at night. Old documents that need to remain confidential (or perhaps even securely deleted), financial stuff, et cetera… why do you just keep them sitting in the clear on your hard drive?

My next minor project involves GnuPG and then leveling up in Tor, which I already use. I’d like to do so more effectively, in fact, and I have some ideas for a project similar to Tails with some enhancements.

→ Leave a comment

Posted in Links

Tagged , , , , , ,

Aside

What Would Linus Do About GNOME 3? Why, Use Xfce I decided almost exactly the same thing in short order after Ubuntu 11.04 launched. Unity wasn’t for me, so I used the official GNOME 3 PPA, and that was worse. … Continue reading

→ Leave a comment

Posted on 2011-08-12

OWASP Dallas: WTE Live Blog

Posted on 2011-03-02 | Leave a comment

 

Matt Tesauro presenting WTE at OWASP Dallas

I’m attending the OWASP Dallas meeting today with a bunch of application security ninjas. Matt Tesauro will present the freshest bits possible on the future of the OWASP Live CD and Web Testing Environment. Also watch @OWASPDallas as they might have stuff, I suppose.

Watch here for live blogging updates…

Summary: I absolutely loved the venue: SMU on a gorgeous spring-like day in early March. The room felt a bit tight, but I suspect that a lot of us who attended for the first time boosted the numbers. Matt has a dynamic and engaging way of speaking and clearly chugs the caffeine before he gets on stage. The content sounded really useful and I hope to see more “builder” tools added soon. As far as distributing the WTE, I suggest just an Ubuntu VM with instructions (or a script) to add the appropriate repository and some meta packages. Guess I will get in touch with him separately. And I absolutely loved seeing some old colleagues from a former employer and some new ones from Twitter. Not sure I’ll attend the April event (appsec’s place in risk management) but I will definitely start getting hooked into more local infosec community events.

1249: That’s all, folks! I’ll clean this up when I get home.

1246: April 6th (1st Wednesday) for next meeting. Lots of upcoming events. Next 2 OWASP Dallas meetings at SMU.

1235: OWASP. Meritocracy, not really a hierarchy per se (inverted organization). Other things needed besides vuln testing: change control, source code mgmt, threat assessment, remediation, etc.

1232: Get involved: mailing list (announcements, low traffic). Post on AppSecLive.org forums. Download ISO or VM, submit bugs and RFEs on Google Code site. Create a .deb package of a tool (docs coming, this gets repeated a lot). Suggest missing tools. Check OWASP Wiki (somebody needs to teach them how to configure it to drop the index.php part of the URL).

1227: Building is where the ROI lives, but breaking is fun. Need to add packages to help build things right. Can create custom profiles: whitebox, blackbox, static analysis, target specific (e.g. Java, .NET). (Side note: seems like a great possibility for meta-packages, bro.) Wants to include any good, freely-distributable tools even if they’re not OWASP. Also pushing for more ease-of-use to lower barriers to entry. Will document how to create packages, etc, plus align with OWASP Testing Guide. More dev focused tools, too (+1!).

1224:OWASP Education Project crossover, since they have natural ties. Can be customized for individual classes due to modularization. Can include a testing version and one with broken apps to run in separate VMs, avoid networking issues in class.

1222: /opt/owasp itself now has 732M, so it doesn’t really fit on CD very well anyway. Custom remixes coming, targeted installs, Wubi (lolwut? for the non-geeks?), kiosk version.

1219: OWASP docs also included: Testing Guide v2 and v3, plus moar program development stuffz. Top 10 for 2010 and J2EE. PDFs scraped from the project. OSSTMM and WASC Threat Classification. Repository up (appseclive.org), stable and testing. Can work with Ubuntu Software Store, Synaptic, whatever. Google Code site too, meaning the source is all there (AS IT SHOULD BE). This means the Live CD has died and is +ded+.

1212: Lots of other proxies, scanners, SQL-i tools, browser, other typical stuff. Tied to repos in some cases. Firefox caused some dependency issues, so installs a separate WTE copy that can also work with the local proxies for testing. Lots of additional plugins, generally by user request.

1208:Tools will all have entries under OWASP sub-menus and install into /opt/owasp/$pkgname. Wrapper shell script goes in /usr/bin (?) so that it’s always in the PATH. Makes it easier for us lazy types! 26 “significant” tools: Web Scarab (testing proxy), WSFuzzer (Python for web services fuzzing), Web Goat (testing environment), Wapiti (automated dynamic scanner), CAL9000 (abandoned collection of encode/decode tools), EnDe (CAL9000 on crack), DirBuster (brute force names), WebSlayer (brute forcing and fuzzing), ZAP Proxy (maintained fork of Paros).

1203: Customizations to simplify usage, which helps make security visible. Started to create his own package dependency system, but then realized no need. Doesn’t compete with BackTrack: focuses on appsec, not network pen testing.

1201: Apparently the WTE / LiveCD has lots of history, but started as a Summer of Code project in 2008. Now it’s not just a SLAX LiveCD, since that doesn’t have too much persistence and makes tool updates painful. Went to Debian packages for every tool, which creates a lot of flexibility. Now uses Ubuntu 10.10 plus a few additional tweaks, then creates a VDI / CD (and soon USB). Still works with Ubuntu repositories. Goal: make tools and docs available and easy to use.

1153: Preso has started. Hi Matt!

1148: Just joined the LinkedIn group.

1142: Introductory remarks. Happy to see a few familiar faces.

1132: Food was delicious (thanks Veracode), barring lack of coffee. ;) Looks like we will get started in a few moments here.

1118: Checked in, meeting folks, grabbing some food. Very nice venue.

→ Leave a comment

Posted in Conferences

Tagged , , , , , ,