Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Classes/Logs/2012/September/17/00-01"

From NetSec
Jump to: navigation, search
(Created page with "<pre> 23:58 <@rorschach> here's the class schedule and signup roster for this week 23:58 <@rorschach> www.blackhatlibrary.net/Current:Classes 23:58 <@rorschach> if you have a top...")
 
 
(4 intermediate revisions by one other user not shown)
Line 1: Line 1:
<pre>
+
23:58 <@rorschach> here's the class schedule and signup roster for this week
23:58 <@rorschach> here's the class schedule and signup roster for this week
+
23:58 <@rorschach> [[Current:Classes|www.blackhatlibrary.net/Current:Classes]]
23:58 <@rorschach> www.blackhatlibrary.net/Current:Classes
+
23:58 <@rorschach> if you have a topic idea signup
23:58 <@rorschach> if you have a topic idea signup
+
23:59 <@rorschach> if you would like to do something but don't know what to talk about, pm me and I might be able to help
23:59 <@rorschach> if you would like to do something but don't know what to talk about, pm me and I might be able to help
+
00:00 <@rorschach> if you have something you WANT someone to talk about come talk to us and we might be able to work  
Day changed to 17 Sep 2012
+
00:00 <@rorschach> if you have something you WANT someone to talk about come talk to us and we might be able to work  
+
 
                   something out
 
                   something out
00:00 < lighthouse> if we were already signed up for the previous emails/classes do we have to sign up again at that URL  
+
00:00 < lighthouse> if we were already signed up for the previous emails/classes do we have to sign up again at that URL  
 
                     for the next classes?
 
                     for the next classes?
00:00 <@rorschach> and of course, tell all of your friends to come so we can share the knowledge
+
00:00 <@rorschach> and of course, tell all of your friends to come so we can share the knowledge
00:00 <@rorschach> :)
+
00:00 <@rorschach> :)
00:01 <@rorschach> no, these are open classes
+
00:01 <@rorschach> no, these are open classes
00:01 <@rorschach> the signups are for scheduling a class
+
00:01 <@rorschach> the signups are for scheduling a class
00:01 < lighthouse> blackhatlibrary.net ....still the same group as blackhat academy, right?
+
00:02 <@rorschach> speaker signups
00:01 < lighthouse> ok
+
-
00:02 <@rorschach> speaker signups
+
  00:16 <~hatter> ok guys here we go  
00:02 <@rorschach> yes, sir
+
00:17 <~hatter> We're gonna do a little timeslot about [[SIM|security infrastructure]] and related components
00:02 < lighthouse> cool
+
00:19 <~hatter> Essentially security infrastructure at an [[Web_exploitation|internet security]] level is defined as intrusion detection  
00:07 <~hatter> So we're gonna start in a minute. I'm smoking a cigarette n then we'll begin.
+
                 systems and [[Countermeasures|intrusion prevention]] systems on the [[host]] and [[network]] layers (and also sometimes the [[Operating_System|OS]] and  
00:07 < Dwaan> ops or ddos
+
00:07 < Dwaan> imo
+
00:07 <~hatter> no
+
00:07 <~hatter> lol
+
00:07 <@rorschach> lmao
+
00:08 <@rorschach> gonna go take a shower, if you guys have any questions about what I wrote above, pm me and I'll get
+
                  back to you in a sec
+
00:09 < Dwaan> lol
+
00:14 < rooster> h Dwaan
+
00:14 < Dwaan> rooster:
+
00:14 < Dwaan> ayo
+
00:15 < rooster> ayo lol.
+
00:15 < rooster> sup
+
00:15 < Dwaan> @ work
+
00:16 < rooster> irc on the job haha
+
00:16 <~hatter> ok guys here we go  
+
00:17 <~hatter> We're gonna do a little timeslot about security infrastructure and related components
+
00:19 <@mepholic> hatter: any recommendation for a class for me to teach?
+
00:19 <~hatter> Essentially security infrastructure at an internet security level is defined as intrusion detection  
+
                 systems and intrusion prevention systems on the host and network layers (and also sometimes the OS and  
+
 
                 application layers) which plug into a security infrastructure management system
 
                 application layers) which plug into a security infrastructure management system
00:19 <~hatter> This security infrastructure management system is typically accessed by the security personell at any  
+
00:19 <~hatter> This security infrastructure management system is typically accessed by the security personel at any  
 
                 given NOC (network operations center)  
 
                 given NOC (network operations center)  
00:20 <~hatter> mepholic: whatever you like just reserve the timeslot
+
00:21 <~hatter> Open-Source Network intrusion detection & prevention systems include [[snort]] and sancp
00:21 <~hatter> Open-Source Network intrusion detection & prevention systems include snort and sancp
+
00:21 <~hatter> there are also a variety of other tools
00:21 <~hatter> there are also a variety of other tools
+
00:22 <~hatter> Like portsentry, shadow, [[HIDS|tripwire, [[|Cisco_IDS|cisco ids]]/ips (stay away from those)
00:22 <~hatter> Like portsentry, shadow, tripwire, cisco ips/ids (stay away from those)
+
00:22 <~hatter> (ciscos, I mean)
00:22 <~hatter> (ciscos, I mean)
+
00:23 <~hatter> Sometimes a security infrastructure management system is also integrated with filesystem integrity check  
00:23 -!- Frank[AFK] [~Frank@2C38FF96:275FD040:2B88C982:IP] has quit [client exited: Frank.]
+
                 daemons and other [[Protocols|standard services]] ([[SMTP|smtp]]/pop3/[[FTP|ftp]]/web/authentication/other common services)
00:23 <~hatter> Sometimes a security infrastructure management system is also integrated with filesystem integrity check  
+
00:25 <~hatter> Host-based [[IDS|intrusion detection and prevention systems]] include samhain and ossec - amongst some other more  
                 daemons and other standard services (smtp/pop/ftp/web/authentication/other common services)
+
00:25 <~hatter> Host-based intrusion detection and prevention systems include samhain and ossec - amongst some other more  
+
 
                 specific service and application-level engines
 
                 specific service and application-level engines
00:25 <~hatter> like naxsi, suhoshin, and apache's mod_security
+
00:25 <~hatter> like naxsi, suhoshin, and apache's mod_security
00:25 <~hatter> Firewalls are usually utilized by prevention systems and/or infrastructure management systems
+
00:25 <~hatter> Firewalls are usually utilized by prevention systems and/or infrastructure management systems
00:26 <~hatter> these may consist of iptables, nufw, pf, ipchains, etc all the way to sonicguard, bigip, or a variety of  
+
00:26 <~hatter> these may consist of iptables, nufw, pf, ipchains, etc all the way to sonicguard, bigip, or a [[Networking_Concepts_%26_Commands/Applications|variety of  
                 other appliances
+
                 other appliances]]
00:27 <~hatter> Without proper firewalls, a security administrator may be unable to thoroughly mitigate an attack without  
+
00:27 <~hatter> Without proper [[firewall|firewalls]], a security administrator may be unable to thoroughly mitigate an attack without  
 
                 experiencing downtime.
 
                 experiencing downtime.
00:27 <~hatter> Systemic failures can happen if appropriate infrastructures for logging all of these infrastructure  
+
00:27 <~hatter> Systemic failures can happen if appropriate infrastructures for logging all of these infrastructure  
 
                 components are not in place during an incident
 
                 components are not in place during an incident
00:27 <~hatter> (or before one)
+
00:27 <~hatter> (or before one)
00:28 <~hatter> Any questions thus far?
+
00:29 <~hatter> At the operating system level, other measures and enforcement protocols can be used to ensure integrity  
00:29 <~hatter> At the operating system level, other measures and enforcement protocols can be used to ensure integrity  
+
 
                 (pam, auditd, grsec, pax, selinux)
 
                 (pam, auditd, grsec, pax, selinux)
00:30 <~hatter> Some good/open source sim's I'd recommend are opensims, ossim, and prelude siem.   
+
00:30 <~hatter> Some good/open source [[SIM|sim's]] I'd recommend are opensims, ossim, and prelude siem.   
00:30 <~hatter> Prelude's frontend (Prewikka) is written in python, its kinda a pain to get running, but awesome once it  
+
00:30 <~hatter> Prelude's frontend (Prewikka) is written in [[python]], its kinda a pain to get running, but awesome once it  
 
                 works
 
                 works
00:31 <~hatter> I'll pause for around 5 mins for questions
+
00:35 <~hatter> ok so you have a few different options when mitigating network based attacks
00:35 <~hatter> ok so you have a few different options when mitigating network based attacks
+
00:35 <~hatter> you can allow the traffic ( bad idea )  
00:35 <~hatter> you can allow the traffic ( bad idea )  
+
00:35 <~hatter> you can block/drop the traffic
00:35 <~hatter> you can block/drop the draffic
+
00:35 <~hatter> or you can reflect the traffic
00:35 <~hatter> or you can reflect the traffic
+
00:36 <~hatter> Blocking or reflecting are always the best solutions given different circumstances
00:36 <~hatter> Blocking or reflecting are always the best solutions given different circumstances
+
00:37 <~hatter> for example, during a [[Ddos_attack|ddos]], if you are sure a [[Cookies/Flags/Domain|domain]] is the target and you have the ip address of the  
00:37 <~hatter> for example, during a ddos, if you are sure a domain is the target and you have the ip address of the  
+
                 [[Zombies|command and control server]], it would not even be remotely illegal for you to update the dns record to  
                 command and control server, it would not even be remotely illegal for you to update the dns record to  
+
                 point to the C&C server's ip address.  This would also cook the [[botnet]], allowing you after a few moments  
                 point to the C&C server's ip address.  This would also cook the botnet, allowing you after a few moments  
+
 
                 to update the dns record back to its original value, restoring uptime to the site
 
                 to update the dns record back to its original value, restoring uptime to the site
00:39 <~hatter> 1s
+
00:39 <~hatter> 1s
00:39 <~hatter> fixin somethin
+
00:39 <~hatter> fixin somethin
00:40 <~hatter> fixt
+
00:40 <~hatter> fixt
00:41 <~hatter> In other cases when you know less information, simply dropping traffic is the appropriate response to a  
+
00:41 <~hatter> In other cases when you know less information, simply dropping traffic is the appropriate response to a  
 
                 ddos.
 
                 ddos.
00:41 <~hatter> When you block the traffic using icmp unreachable or tcp reset messages, this actually makes your  
+
00:41 <~hatter> When you block the traffic using [[Protocol|icmp]] unreachable or [[Protocol|tcp]] reset messages, this actually makes your  
 
                 appliances send more data, increasing the effectiveness of the denial of service attack.
 
                 appliances send more data, increasing the effectiveness of the denial of service attack.
00:42 <~hatter> likewise, it is advisable to chmod 0 affected directories, chattr +ia, and chown to root when a web  
+
00:42 <~hatter> likewise, it is advisable to chmod 0 affected directories, chattr +ia, and chown to root when a web  
 
                 application has been compromised, unless the flaw is known.
 
                 application has been compromised, unless the flaw is known.
00:42 < Dwaan> i never considered that
+
00:42 <~hatter> traffic can be analyzed in realtime using a variety of sniffers
00:42 < Dwaan> nice
+
00:43 <~hatter> A lot of people just use tcpdump
00:42 <~hatter> traffic can be analyzed in realtime using a variety of sniffers
+
00:43 <~hatter> Its a relatively standard command line tool
00:43 <~hatter> A lot of people just use tcpdump
+
00:43 <~hatter> It does not have any attack functionality though, while things like ettercap aren't quite as good for  
00:43 <~hatter> Its a relatively standard command line tool
+
00:43 <~hatter> It does not have any attack functionality though, while things like ettercap aren't quite as good for  
+
 
                 inspection but are great for attacks.
 
                 inspection but are great for attacks.
00:45 <~hatter> Sancp will make packet & pcap recordings
+
00:45 <~hatter> Sancp will make packet & pcap recordings
00:45 <~hatter> that you can inspect later using tcpdump or other pcap utilities
+
00:45 <~hatter> that you can inspect later using tcpdump or other pcap utilities
00:45 <~hatter> you can also just use hexdump
+
00:45 <~hatter> you can also just use hexdump
00:45 <~hatter> if you're into that sort of thing :)
+
00:45 <~hatter> if you're into that sort of thing :)
00:48 <~hatter> there are multiple types of analysis employed by security infrastructure,
+
00:48 <~hatter> there are multiple types of analysis employed by security infrastructure,
00:48 <~hatter> lets focus on integrity checking, signature based analysis, and behavior based analysis for the moment
+
00:48 <~hatter> lets focus on integrity checking, signature based analysis, and behavior based analysis for the moment
00:49 <~hatter> Whenever you have the ability to do so, integrity checks should be done using multiple hashing  
+
00:49 <~hatter> Whenever you have the ability to do so, integrity checks should be done using multiple hashing  
 
                 algorithms.  Additionally, third party systems may monitor the databases of the integrity checksums to  
 
                 algorithms.  Additionally, third party systems may monitor the databases of the integrity checksums to  
 
                 determine their integrity as well
 
                 determine their integrity as well
00:50 <~hatter> The reasoning behind using multiple hashing algorithms for checksums applies due to hash collision attacks
+
00:50 <~hatter> The reasoning behind using multiple hashing algorithms for checksums applies due to hash collision attacks
00:50 <~hatter> It is possible to perform a collision attack using appended data against nearly any single checksum  
+
00:50 <~hatter> It is possible to perform a collision attack using appended data against nearly any single checksum  
 
                 algorithm
 
                 algorithm
00:50 <~hatter> however because of the math involved, using multiple hashing alorithms that differ in origin may prove  
+
00:50 <~hatter> however because of the math involved, using multiple hashing alorithms that differ in origin may prove  
 
                 impossible to collide at the same time
 
                 impossible to collide at the same time
00:51 <~hatter> signature based analysis typically uses regular expressions or similar definitions for static file and/or  
+
00:51 <~hatter> signature based analysis typically uses regular expressions or similar definitions for static file and/or  
 
                 memory analysis at runtime
 
                 memory analysis at runtime
00:51 <~hatter> This is typically a poor solution as blacklisting will nearly always fail
+
00:51 <~hatter> This is typically a poor solution as blacklisting will nearly always fail
00:52 <~hatter> (Perhaps a more bayesian style filtering approach is needed on a more general scale.)
+
00:52 <~hatter> (Perhaps a more bayesian style filtering approach is needed on a more general scale.)
00:52 <~hatter> Behaviour based analysis is a good solution however its still very young, and the technology needs  
+
00:52 <~hatter> Behaviour based analysis is a good solution however its still very young, and the technology needs  
 
                 further growth before it can be adopted on a wider scale
 
                 further growth before it can be adopted on a wider scale
00:54 <~hatter> Additionally, some behavior based intrusion detection systems are prone to false positives from licensing  
+
00:54 <~hatter> Additionally, some behavior based intrusion detection systems are prone to false positives from licensing  
 
                 engines, due to the polymorphic nature of modern software protections and their similarity to malware.
 
                 engines, due to the polymorphic nature of modern software protections and their similarity to malware.
00:54 <~hatter> This can cause certain systemic failures if not properly integrated (part of the youth of the technology)
+
00:54 <~hatter> This can cause certain systemic failures if not properly integrated (part of the youth of the technology)
00:56 <~hatter> disaster recovery systems and monitoring systems may also be parts of security infrastructures
+
00:56 <~hatter> disaster recovery systems and monitoring systems may also be parts of security infrastructures
00:56 <~hatter> this includes backups, systems like nagios which check for service uptime, and database replication  
+
00:56 <~hatter> this includes backups, systems like nagios which check for service uptime, and database replication  
 
                 systems for hotswitch configurations
 
                 systems for hotswitch configurations
00:57 <~hatter> Disk and filesystem cryptography also applies to security infrastructure
+
00:57 <~hatter> Disk and filesystem cryptography also applies to security infrastructure
00:57 <~hatter> in some cases, they are legally required for various levels of legal business compliance in the united  
+
00:57 <~hatter> in some cases, they are legally required for various levels of legal business compliance in the united  
 
                 states and other nations
 
                 states and other nations
00:58 <~hatter> This includes things like HIPAA for medical records and PCI for stored credit card data
+
00:58 <~hatter> This includes things like HIPAA for medical records and PCI for stored credit card data
00:58 <~hatter> This also includes stuff like application level hashing and salting for authentication
+
00:58 <~hatter> This also includes stuff like application level hashing and salting for authentication
00:58 < lighthouse> let me know when questions can be asked again
+
00:59 <~hatter> That kind of thing can also be required for various levels of legal compliance
00:59 <~hatter> That kind of thing can also be required for various levels of legal compliance
+
00:59 < corvus> Isnt it true that adequate Disaster recovery implementations are often the largest point of failure in a  
00:59 <~hatter> go ahead and ask lighthouse
+
00:59 < corvus> Isnt it true that adequate Disaster recovery implementations are often the largest point of failure in a  
+
 
                 security policy?
 
                 security policy?
00:59 <~hatter> corvus: usually either that or an audit/review process for production systems to begin with
+
00:59 <~hatter> corvus: usually either that or an audit/review process for production systems to begin with
00:59 <~hatter> but yes
+
00:59 <~hatter> but yes
01:00 <~hatter> Its usually one of those two things
+
01:00 <~hatter> Its usually one of those two things
01:00 < lighthouse> could you possibly give an example or two of a simple setup for a home network and maybe one for a  
+
01:00 < lighthouse> could you possibly give an example or two of a simple setup for a home network and maybe one for a  
 
                     small - medium sized business as far as what security hardware and software would be on each?
 
                     small - medium sized business as far as what security hardware and software would be on each?
01:00 <~hatter> that is responsible for systemic failure
+
01:00 <~hatter> that is responsible for systemic failure
01:00 < lighthouse> maybe at the end or something?
+
01:00 <~hatter> I'll go ahead and give it a go
01:00 <~hatter> lighthouse: we only have about 5-10 minutes left before zzzzzZZZZzzz[m3n] starts with his python
+
01:00 < lighthouse> also, I have tried to setup snort for windows but to no avail, is there any way to use snort to  
                introduction so
+
01:00 <~hatter> I'll go ahead and give it a go
+
01:00 < lighthouse> also, I have tried to setup snort for windows but to no avail, is there any way to use snort to  
+
 
                     protect a primarily windows network ?
 
                     protect a primarily windows network ?
01:00 < lighthouse> oh ok
+
01:01 <~hatter> Snort is a network layer inspection system
01:01 <~hatter> Snort is a network layer inspection system
+
01:01 <~hatter> that means that you can install it on a single linux host
01:01 <~hatter> that means that you can install it on a single linux host
+
01:01 <~hatter> that also acts as a router
01:01 < lighthouse> well if you were going to go into encryption I would much rather you keep going with that
+
01:01 <~hatter> for the rest of the network
01:01 <~hatter> that also acts as a router
+
01:01 <~hatter> Say you had a switch (not a hub)
01:01 <~hatter> for the rest of the network
+
01:01 <~hatter> You'd set up your linux machine with snort  
01:01 <~hatter> so
+
01:01 <~hatter> as a router, then plug it into the switch
01:01 <~hatter> Say you had a switch (not a hub)
+
01:01 <~hatter> as well as the modem
01:01 <~hatter> You'd set up your linux machine with snort  
+
01:01 <~hatter> the switch would then provide access to the rest of the network
01:01 < lighthouse> ok
+
01:01 <~hatter> via the router/NIDS
01:01 <~hatter> as a router, then plug it into the switch
+
01:01 < lighthouse> so I could use one computer with a linux install with snort that acts as a router before the actual  
01:01 <~hatter> as well as the modem
+
01:01 < lighthouse> I see
+
01:01 <~hatter> the switch would then provide access to the rest of the network
+
01:01 <~hatter> via the router/NIDS
+
01:01 < lighthouse> so I could use one computer with a linux install with snort that acts as a router before the actual  
+
 
                     router?
 
                     router?
01:01 <~hatter> you could use that on either a home network or a business network
+
01:01 <~hatter> you could use that on either a home network or a business network
01:02 <~hatter> yep
+
01:02 <~hatter> yep
01:02 <~hatter> you sure could do that
+
01:02 <~hatter> you sure could do that
01:02 < lighthouse> could that be done with saturn (a server I have with a custom hardened version of linux on it)?
+
01:02 < lighthouse> could that be done with saturn (a server I have with a custom hardened version of linux on it)?
01:02 <~hatter> probably.
+
01:02 <~hatter> probably.
01:03 < lighthouse> but easier to go with a less complicated distro?
+
01:03 < lighthouse> but easier to go with a less complicated distro?
01:03 <~hatter> could really be done with nearly any system
+
01:03 <~hatter> could really be done with nearly any system
01:03 <~hatter> you don't need a super power house for it
+
01:03 <~hatter> you don't need a super power house for it
01:03 <~hatter> however  
+
01:03 <~hatter> however  
01:03 <~hatter> it's good to have that system locked down
+
01:03 <~hatter> it's good to have that system locked down
01:03 <~hatter> remember, it's going to be the gateway
+
01:03 <~hatter> remember, it's going to be the gateway
01:03 <~hatter> so
+
01:03 <~hatter> so
01:03 < lighthouse> true
+
01:03 <~hatter> if it gets hit by something, your whole network is at risk
01:03 <~hatter> if it gets hit by something, your whole network is at risk
+
01:03 <~hatter> so you might want to set up the modem -> router -> snort machine -> switch -> network
01:03 <~hatter> so you might want to set up the modem -> router -> snort machine -> switch -> network
+
01:03 <+foo> Security Onion has a lot of these tools built in: https://code.google.com/p/security-onion/
01:03 <+foo> Security Onion has a lot of these tools built in: https://code.google.com/p/security-onion/
+
01:04 <~hatter> ^
01:04 <~hatter> ^
+
01:04 <+foo> it's good stuff
01:04 < lighthouse> ok cool
+
-
01:04 < lighthouse> never heard of it
+
01:07 < lighthouse> how much security needs to be implemented to eliminate 90-95% of all most threats?
01:04 <+foo> it's good stuff
+
01:07 <~hatter> lol you mean
01:04 < lighthouse> nice,exactly what I need
+
01:07 <~hatter> how much shit do you need to turn off
01:04 < lighthouse> going to make it easier since I am very new to linux
+
01:08 <+foo> ^
01:05 <+foo> lighthouse: what is your background?
+
01:08 <~hatter> not how much stuff do you need to add
01:05 <~hatter> Ok guys, we'll take a 5 - 10 minute break and then zzzzzZZZZzzz[m3n] will kick off on python
+
01:08 <~hatter> xD
01:05 < lighthouse> mainly web design / some slight development / business /marketing
+
01:08 < Dwaan> i think im gonna have a play with snort now
01:05 < lighthouse> a cig break or a break for questions?
+
01:08 < lighthouse> lol
01:06 < Dwaan> lol
+
01:08 <+foo> lighthouse: most issues are caused by enabled but unused functionality
01:06 <+foo> hatter: thanks for the awesome SIM talk
+
01:08 <+foo> lighthouse: for example, take office workstations, most are allowed full access to the internal network
01:06 <+foo> s/talk/class/
+
01:09 <+foo> aside from p2p functionality, there is no reason workstations need to talk to each other
01:06 -!- XiX [[email protected]] has joined #CSIII
+
01:09 < lighthouse> what I am saying is, won't most threats / malware be thwarted by a few levels of security? I mean,  
01:06 < Dwaan> agree
+
01:06 < lighthouse> yeah, wish we were going more into that today
+
01:06 <+foo> lighthouse: go ahead and toss out some questions
+
01:06 <+foo> while zzzzzZZZZzzz[m3n] is getting ready
+
01:07 <@zzzzzZZZZzzz[m3n]> Yeah, This is kinda gonna be a bit off the top of my head.
+
01:07 < lighthouse> how much security needs to be implemented to eliminate 90-95% of all most threats?
+
01:07 <~hatter> lol you mean
+
01:07 <~hatter> how much shit do you need to turn off
+
01:08 <+foo> ^
+
01:08 <~hatter> not how much stuff do you need to add
+
01:08 <~hatter> xD
+
01:08 < Dwaan> i think im gonna have a play with snort now
+
01:08 < lighthouse> lol
+
01:08 <+foo> lighthouse: most issues are caused by enabled but unused functionality
+
01:08 <+foo> lighthouse: for example, take office workstations, most are allowed full access to the internal network
+
01:09 <+foo> aside from p2p functionality, there is no reason workstations need to talk to each other
+
01:09 -!- VanKrause [[email protected]] has joined #CSIII
+
01:09 < lighthouse> what I am saying is, won't most threats / malware be thwarted by a few levels of security? I mean,  
+
 
                     yes its best to be 100% secure (if thats even possible) but mnost dont have to worry about being  
 
                     yes its best to be 100% secure (if thats even possible) but mnost dont have to worry about being  
 
                     hacked by the alphabet boys
 
                     hacked by the alphabet boys
01:09 <+foo> yet, as demonstrated by extensive malware propagation of many environments, workstations are allowed to not  
+
01:09 <+foo> yet, as demonstrated by extensive malware propagation of many environments, workstations are allowed to not  
 
             only talk to each other but also attack each other unchecked
 
             only talk to each other but also attack each other unchecked
01:09 <+foo> lighthouse: 100% "security" is not possible
+
01:09 <+foo> lighthouse: 100% "security" is not possible
01:10 < lighthouse> if the SNA (scrambled for obvious reasons) wants to see what you are doing, more then likely they  
+
01:10 < lighthouse> if the SNA (scrambled for obvious reasons) wants to see what you are doing, more then likely they  
 
                     will be able to, no?
 
                     will be able to, no?
01:10 < Dwaan> foo: YES
+
01:10 < Dwaan> foo: YES
01:10 < Dwaan> i try to tell people this
+
01:10 < Dwaan> i try to tell people this
01:10 < Dwaan> so many people have the attitued like
+
01:10 < Dwaan> so many people have the attitued like
01:10 < lighthouse> unless you have a bunker with electromagnetic shielded walls, they can see what you are doing
+
01:10 < lighthouse> unless you have a bunker with electromagnetic shielded walls, they can see what you are doing
01:10 < Dwaan> 'meh, noone gonna do anything malicious on our network'
+
01:10 < Dwaan> 'meh, noone gonna do anything malicious on our network'
01:10 <+foo> https://www.sans.org/critical-security-controls/ here are the things to do to get "mostly secure"
+
01:10 <+foo> https://www.sans.org/critical-security-controls/ here are the things to do to get "mostly secure"
01:10 < Dwaan> why bother
+
01:10 < Dwaan> why bother
01:10 < Dwaan> etc
+
01:10 < Dwaan> etc
01:10 <+foo> as in, "must be this tall to ride"
+
01:10 <+foo> as in, "must be this tall to ride"
01:11 <+foo> Dwaan: most organizations have no clue what their workstations do, what the traffic flow is, what is on the  
+
01:11 <+foo> Dwaan: most organizations have no clue what their workstations do, what the traffic flow is, what is on the  
 
             network let alone what is installed on system X
 
             network let alone what is installed on system X
01:11 < lighthouse> an IDS dsoes not actually prevent attacks, correct? just the IPS?
+
01:11 < lighthouse> an IDS dsoes not actually prevent attacks, correct? just the IPS?
01:11 <+foo> Intrusion Detection System
+
01:11 <+foo> Intrusion Detection System
01:12 <+foo> detects attacks
+
01:12 <+foo> detects attacks
01:12 < Dwaan> foo: exactly
+
01:12 < Dwaan> foo: exactly
01:12 < Dwaan> lazy
+
01:12 < Dwaan> lazy
01:12 <+foo> IPS, Intrusion Prevention Systems, are typically IDS + Active Response
+
01:12 <+foo> IPS, Intrusion Prevention Systems, are typically IDS + Active Response
01:12 < Dwaan> wow
+
01:12 < Dwaan> wow
01:12 < Dwaan> security onion
+
01:12 < Dwaan> security onion
01:12 < Dwaan> looks nice
+
01:12 < Dwaan> looks nice
01:12 < lighthouse> right, so why would you just want the one (IDS) and not both , I know this is an extremely ignorant
+
01:12 <+foo> Dwaan: lazy, organic growth, lack of administrative processes
                    question but I am not a security guy
+
01:13 <+foo> it's the defense-in-depth philosophy, at your external perimeter (outside of the FW) it makes sense to have  
01:12 <+foo> Dwaan: lazy, organic growth, lack of administrative processes
+
01:12 < lighthouse> but I see stuff out there that is just an IDS
+
01:12 <+foo> lighthouse: that depends on where you are in the network
+
01:13 < lighthouse> oh I see
+
01:13 < lighthouse> if you want to delegate what happens where, makes sense
+
01:13 <+foo> it's the defense-in-depth philosophy, at your external perimeter (outside of the FW) it makes sense to have  
+
 
             an IDS
 
             an IDS
01:13 < lighthouse> obviously that would not be efficient for a home user like myself
+
01:13 <+foo> inside the FW, it makes sense to have an IPS
01:13 <+foo> inside the FW, it makes sense to have an IPS
+
01:14 <+foo> but your IDS outside should do more than just look for attacks, it should gather network statistics and  
01:14 <+foo> but your IDS outside should do more than just look for attacks, it should gather network statistics and  
+
 
             information about traffic flow
 
             information about traffic flow
01:14 <+foo> your internal IPS would take care of the "attacks" that your router and fw were unable to handle
+
01:14 <+foo> your internal IPS would take care of the "attacks" that your router and fw were unable to handle
01:14 <+foo> zzzzzZZZZzzz[m3n]: you about ready to jump in?
+
01:14 <+foo> zzzzzZZZZzzz[m3n]: you about ready to jump in?
01:15 <+foo> lighthouse: think about a castle and the various layers of defense
+
01:15 <+foo> lighthouse: think about a castle and the various layers of defense
01:15 <+foo> you have your castle wall
+
01:15 <+foo> you have your castle wall
01:15 <+foo> with archers and buckets of boiling oil and firebombs
+
01:15 <+foo> with archers and buckets of boiling oil and firebombs
01:15 < lighthouse> yeah..
+
01:15 <+foo> you have a moat and a big gate
01:15 <+foo> you have a moat and a big gate
+
01:15 <+foo> but you also have scouts out looking for attackers
01:15 <+foo> but you also have scouts out looking for attackers
+
01:16 <@zzzzzZZZZzzz[m3n]> Just a moment, yes
01:15 < lighthouse> very good analogy
+
01:16 <+foo> inside the castle walls you have segmentation of areas to limit attackers
01:16 <@zzzzzZZZZzzz[m3n]> Just a moment, yes
+
01:16 < lighthouse> teachers: analogys = awesome
01:16 <+foo> inside the castle walls you have segmentation of areas to limit attackers
+
01:16 <+foo> but open areas that trusted parties can get into
01:16 < lighthouse> btw, to all teaching, these type of analogies are the best way to teach complete noobs like myself
+
01:17 <+foo> each of these areas have guards and access controls
01:16 <+foo> but open areas that trusted parties can get into
+
01:17 <+foo> each of these areas have guards and access controls
+
</pre>
+

Latest revision as of 02:57, 20 September 2012

23:58 <@rorschach> here's the class schedule and signup roster for this week
23:58 <@rorschach> www.blackhatlibrary.net/Current:Classes
23:58 <@rorschach> if you have a topic idea signup
23:59 <@rorschach> if you would like to do something but don't know what to talk about, pm me and I might be able to help
00:00 <@rorschach> if you have something you WANT someone to talk about come talk to us and we might be able to work 
                  something out
00:00 < lighthouse> if we were already signed up for the previous emails/classes do we have to sign up again at that URL 
                   for the next classes?
00:00 <@rorschach> and of course, tell all of your friends to come so we can share the knowledge
00:00 <@rorschach> :)
00:01 <@rorschach> no, these are open classes
00:01 <@rorschach> the signups are for scheduling a class
00:02 <@rorschach> speaker signups
-
00:16 <~hatter> ok guys here we go 
00:17 <~hatter> We're gonna do a little timeslot about security infrastructure and related components
00:19 <~hatter> Essentially security infrastructure at an internet security level is defined as intrusion detection 
               systems and intrusion prevention systems on the host and network layers (and also sometimes the OS and 
               application layers) which plug into a security infrastructure management system
00:19 <~hatter> This security infrastructure management system is typically accessed by the security personel at any 
               given NOC (network operations center) 
00:21 <~hatter> Open-Source Network intrusion detection & prevention systems include snort and sancp
00:21 <~hatter> there are also a variety of other tools
00:22 <~hatter> Like portsentry, shadow, [[HIDS|tripwire, [[|Cisco_IDS|cisco ids]]/ips (stay away from those)
00:22 <~hatter> (ciscos, I mean)
00:23 <~hatter> Sometimes a security infrastructure management system is also integrated with filesystem integrity check 
               daemons and other standard services (smtp/pop3/ftp/web/authentication/other common services)
00:25 <~hatter> Host-based intrusion detection and prevention systems include samhain and ossec - amongst some other more 
               specific service and application-level engines
00:25 <~hatter> like naxsi, suhoshin, and apache's mod_security
00:25 <~hatter> Firewalls are usually utilized by prevention systems and/or infrastructure management systems
00:26 <~hatter> these may consist of iptables, nufw, pf, ipchains, etc all the way to sonicguard, bigip, or a variety of 
                other appliances
00:27 <~hatter> Without proper firewalls, a security administrator may be unable to thoroughly mitigate an attack without 
               experiencing downtime.
00:27 <~hatter> Systemic failures can happen if appropriate infrastructures for logging all of these infrastructure 
               components are not in place during an incident
00:27 <~hatter> (or before one)
00:29 <~hatter> At the operating system level, other measures and enforcement protocols can be used to ensure integrity 
               (pam, auditd, grsec, pax, selinux)
00:30 <~hatter> Some good/open source sim's I'd recommend are opensims, ossim, and prelude siem.  
00:30 <~hatter> Prelude's frontend (Prewikka) is written in python, its kinda a pain to get running, but awesome once it 
               works
00:35 <~hatter> ok so you have a few different options when mitigating network based attacks
00:35 <~hatter> you can allow the traffic ( bad idea ) 
00:35 <~hatter> you can block/drop the traffic
00:35 <~hatter> or you can reflect the traffic
00:36 <~hatter> Blocking or reflecting are always the best solutions given different circumstances
00:37 <~hatter> for example, during a ddos, if you are sure a domain is the target and you have the ip address of the 
               command and control server, it would not even be remotely illegal for you to update the dns record to 
               point to the C&C server's ip address.  This would also cook the botnet, allowing you after a few moments 
               to update the dns record back to its original value, restoring uptime to the site
00:39 <~hatter> 1s
00:39 <~hatter> fixin somethin
00:40 <~hatter> fixt
00:41 <~hatter> In other cases when you know less information, simply dropping traffic is the appropriate response to a 
               ddos.
00:41 <~hatter> When you block the traffic using icmp unreachable or tcp reset messages, this actually makes your 
               appliances send more data, increasing the effectiveness of the denial of service attack.
00:42 <~hatter> likewise, it is advisable to chmod 0 affected directories, chattr +ia, and chown to root when a web 
               application has been compromised, unless the flaw is known.
00:42 <~hatter> traffic can be analyzed in realtime using a variety of sniffers
00:43 <~hatter> A lot of people just use tcpdump
00:43 <~hatter> Its a relatively standard command line tool
00:43 <~hatter> It does not have any attack functionality though, while things like ettercap aren't quite as good for 
               inspection but are great for attacks.
00:45 <~hatter> Sancp will make packet & pcap recordings
00:45 <~hatter> that you can inspect later using tcpdump or other pcap utilities
00:45 <~hatter> you can also just use hexdump
00:45 <~hatter> if you're into that sort of thing :)
00:48 <~hatter> there are multiple types of analysis employed by security infrastructure,
00:48 <~hatter> lets focus on integrity checking, signature based analysis, and behavior based analysis for the moment
00:49 <~hatter> Whenever you have the ability to do so, integrity checks should be done using multiple hashing 
               algorithms.  Additionally, third party systems may monitor the databases of the integrity checksums to 
               determine their integrity as well
00:50 <~hatter> The reasoning behind using multiple hashing algorithms for checksums applies due to hash collision attacks
00:50 <~hatter> It is possible to perform a collision attack using appended data against nearly any single checksum 
               algorithm
00:50 <~hatter> however because of the math involved, using multiple hashing alorithms that differ in origin may prove 
               impossible to collide at the same time
00:51 <~hatter> signature based analysis typically uses regular expressions or similar definitions for static file and/or 
               memory analysis at runtime
00:51 <~hatter> This is typically a poor solution as blacklisting will nearly always fail
00:52 <~hatter> (Perhaps a more bayesian style filtering approach is needed on a more general scale.)
00:52 <~hatter> Behaviour based analysis is a good solution however its still very young, and the technology needs 
               further growth before it can be adopted on a wider scale
00:54 <~hatter> Additionally, some behavior based intrusion detection systems are prone to false positives from licensing 
               engines, due to the polymorphic nature of modern software protections and their similarity to malware.
00:54 <~hatter> This can cause certain systemic failures if not properly integrated (part of the youth of the technology)
00:56 <~hatter> disaster recovery systems and monitoring systems may also be parts of security infrastructures
00:56 <~hatter> this includes backups, systems like nagios which check for service uptime, and database replication 
               systems for hotswitch configurations
00:57 <~hatter> Disk and filesystem cryptography also applies to security infrastructure
00:57 <~hatter> in some cases, they are legally required for various levels of legal business compliance in the united 
               states and other nations
00:58 <~hatter> This includes things like HIPAA for medical records and PCI for stored credit card data
00:58 <~hatter> This also includes stuff like application level hashing and salting for authentication
00:59 <~hatter> That kind of thing can also be required for various levels of legal compliance
00:59 < corvus> Isnt it true that adequate Disaster recovery implementations are often the largest point of failure in a 
               security policy?
00:59 <~hatter> corvus: usually either that or an audit/review process for production systems to begin with
00:59 <~hatter> but yes
01:00 <~hatter> Its usually one of those two things
01:00 < lighthouse> could you possibly give an example or two of a simple setup for a home network and maybe one for a 
                   small - medium sized business as far as what security hardware and software would be on each?
01:00 <~hatter> that is responsible for systemic failure
01:00 <~hatter> I'll go ahead and give it a go
01:00 < lighthouse> also, I have tried to setup snort for windows but to no avail, is there any way to use snort to 
                   protect a primarily windows network ?
01:01 <~hatter> Snort is a network layer inspection system
01:01 <~hatter> that means that you can install it on a single linux host
01:01 <~hatter> that also acts as a router
01:01 <~hatter> for the rest of the network
01:01 <~hatter> Say you had a switch (not a hub)
01:01 <~hatter> You'd set up your linux machine with snort 
01:01 <~hatter> as a router, then plug it into the switch
01:01 <~hatter> as well as the modem
01:01 <~hatter> the switch would then provide access to the rest of the network
01:01 <~hatter> via the router/NIDS
01:01 < lighthouse> so I could use one computer with a linux install with snort that acts as a router before the actual 
                   router?
01:01 <~hatter> you could use that on either a home network or a business network
01:02 <~hatter> yep
01:02 <~hatter> you sure could do that
01:02 < lighthouse> could that be done with saturn (a server I have with a custom hardened version of linux on it)?
01:02 <~hatter> probably.
01:03 < lighthouse> but easier to go with a less complicated distro?
01:03 <~hatter> could really be done with nearly any system
01:03 <~hatter> you don't need a super power house for it
01:03 <~hatter> however 
01:03 <~hatter> it's good to have that system locked down
01:03 <~hatter> remember, it's going to be the gateway
01:03 <~hatter> so
01:03 <~hatter> if it gets hit by something, your whole network is at risk
01:03 <~hatter> so you might want to set up the modem -> router -> snort machine -> switch -> network
01:03 <+foo> Security Onion has a lot of these tools built in: https://code.google.com/p/security-onion/
01:04 <~hatter> ^
01:04 <+foo> it's good stuff
-
01:07 < lighthouse> how much security needs to be implemented to eliminate 90-95% of all most threats?
01:07 <~hatter> lol you mean
01:07 <~hatter> how much shit do you need to turn off
01:08 <+foo> ^
01:08 <~hatter> not how much stuff do you need to add
01:08 <~hatter> xD
01:08 < Dwaan> i think im gonna have a play with snort now
01:08 < lighthouse> lol
01:08 <+foo> lighthouse: most issues are caused by enabled but unused functionality
01:08 <+foo> lighthouse: for example, take office workstations, most are allowed full access to the internal network
01:09 <+foo> aside from p2p functionality, there is no reason workstations need to talk to each other
01:09 < lighthouse> what I am saying is, won't most threats / malware be thwarted by a few levels of security? I mean, 
                   yes its best to be 100% secure (if thats even possible) but mnost dont have to worry about being 
                   hacked by the alphabet boys
01:09 <+foo> yet, as demonstrated by extensive malware propagation of many environments, workstations are allowed to not 
            only talk to each other but also attack each other unchecked
01:09 <+foo> lighthouse: 100% "security" is not possible
01:10 < lighthouse> if the SNA (scrambled for obvious reasons) wants to see what you are doing, more then likely they 
                   will be able to, no?
01:10 < Dwaan> foo: YES
01:10 < Dwaan> i try to tell people this
01:10 < Dwaan> so many people have the attitued like
01:10 < lighthouse> unless you have a bunker with electromagnetic shielded walls, they can see what you are doing
01:10 < Dwaan> 'meh, noone gonna do anything malicious on our network'
01:10 <+foo> https://www.sans.org/critical-security-controls/ here are the things to do to get "mostly secure"
01:10 < Dwaan> why bother
01:10 < Dwaan> etc
01:10 <+foo> as in, "must be this tall to ride"
01:11 <+foo> Dwaan: most organizations have no clue what their workstations do, what the traffic flow is, what is on the 
            network let alone what is installed on system X
01:11 < lighthouse> an IDS dsoes not actually prevent attacks, correct? just the IPS?
01:11 <+foo> Intrusion Detection System
01:12 <+foo> detects attacks
01:12 < Dwaan> foo: exactly
01:12 < Dwaan> lazy
01:12 <+foo> IPS, Intrusion Prevention Systems, are typically IDS + Active Response
01:12 < Dwaan> wow
01:12 < Dwaan> security onion
01:12 < Dwaan> looks nice
01:12 <+foo> Dwaan: lazy, organic growth, lack of administrative processes
01:13 <+foo> it's the defense-in-depth philosophy, at your external perimeter (outside of the FW) it makes sense to have 
            an IDS
01:13 <+foo> inside the FW, it makes sense to have an IPS
01:14 <+foo> but your IDS outside should do more than just look for attacks, it should gather network statistics and 
            information about traffic flow
01:14 <+foo> your internal IPS would take care of the "attacks" that your router and fw were unable to handle
01:14 <+foo> zzzzzZZZZzzz[m3n]: you about ready to jump in?
01:15 <+foo> lighthouse: think about a castle and the various layers of defense
01:15 <+foo> you have your castle wall
01:15 <+foo> with archers and buckets of boiling oil and firebombs
01:15 <+foo> you have a moat and a big gate
01:15 <+foo> but you also have scouts out looking for attackers
01:16 <@zzzzzZZZZzzz[m3n]> Just a moment, yes
01:16 <+foo> inside the castle walls you have segmentation of areas to limit attackers
01:16 < lighthouse> teachers: analogys = awesome
01:16 <+foo> but open areas that trusted parties can get into
01:17 <+foo> each of these areas have guards and access controls
Retrieved from "http://nets.ec/index.php?title=Classes/Logs/2012/September/17/00-01&oldid=9112"