Security FAQ

D

draconius

2[H]4U
Joined
Apr 8, 2002
Messages
2,081
The [H] Security Faq v 1.0

Rev. 1.0 :: draconius - [3/9/05] - Added Spyware and Anti-Virus Sections
Rev. 1.1 :: draconius - [2/21/06] -
This FAQ is a work in progress, any and all suggestions, help, ideas are greatly welcomed and appreciated...please PM me, email me [email protected] or post in this thread, and I will make updates as needed!

This is a combined effort of many people here on the [H] to provide a place to look for information relating to the following topics:
(click the links to be taken to a thread all about each topic, and please, RTFM before asking silly questions!)








Notes:

I have a list of all sources kept on my computer, and I will provide it to anybody on request -- to anybody who has a stick up their ass about copyrights -- this page is for informational purposes, and to help people out on these forums, and to be a good aggregate area for information and articles that have been written by many hard working people, *NOT* to simply steal content.

I will be attempting to mirror many of these articles on my website, www.pyrospheric.net as I get the chance -- so if these links go down, come to my site -- this FAQ, along with articles will be there under the computing section
 
Something that normally goes along with the *nix firewall setup is how to set up captive portal.

ZoneCD
http://www.publicip.net/zonecd/what.php

NoCatAuth (written in Perl)
http://nocat.net/

"NoCatSplash is the successor to NoCatAuth, which was written in Perl. NoCatSplash is written in multi-threaded ANSI C in order to be smaller and work better on embedded style devices."
http://nocat.net/moin/NoCatSplash

Edit: Thank you BobSutan for the sticky and thanks to draconius for the idea!
 
Thanks guys above....I updated the list with your links and added descriptions...hopefully more people can post solutions they use....

I am trying to keep the list entirely stuff that is free or has a free version available too...
 
Lets keep this thread going and I'll prune it later into a standalone Security FAQ.
 
Edit text down where needed:

"The Bastille Hardening System attempts to "harden" or "tighten" Unix operating systems. It currently supports the Red Hat, Debian, Gentoo, Mandrake, SuSE and TurboLinux Linux distributions along with HP-UX and Apple OS X."
http://www.bastille-linux.org/


General security links:
The Twenty Most Critical Internet Security Vulnerabilities
http://www.sans.org/top20/

Microsoft TechNet: Security How-tos
http://www.microsoft.com/technet/itsolutions/howto/sechow.mspx

EDIT [addition]
SAFE: A Security Blueprint for Enterprise Networks from Cisco
http://www.cisco.com/en/US/netsol/n...g_solutions_white_paper09186a008009c8b6.shtml
"Its principle goal is to provide best practices information on designing and implementing secure networks. SAFE takes a defense-in-depth approach to network security design, serving as a guide to network designers considering the security requirements of their networks."
 
I don't have alot of free time today or tomorrow, but friday / saturday / sunday, This FAQ may be consolidated with several other FAQ's here on the [H] into one giant security faq...wanna help out ? PM ME!
 
per request can be hacked up, rearranged and updated as you like ;)
(provided the interview credits are maintained) I'll try to update soon I really havent worked on it in the past year or so
---------------------------------------------------------------------------------------------------------------------------




RAMPANT PARANOIA 101




1st eliminate spyware hijackware as the possible cause
unless you have reason to beleive its more serious

Review Schadenfroh's excellent Spyware Removal Guide
and Junkware 101 @ overclockinghq

My old outline follows
Frist run Adaware (freeware edition), Spybot (freeware)
and CWShredder (freeware) CWTrojan removal tool a which is common hijack mechanism
then run HijackThis (freeware)
then post your log at Spywareinfo forums read the FAQ 1st ;)
HijackThis reports classes of aps, processes and registry keys where hijackware gets entered
legitimate aps and malware are both reported, so you need to know the difference
after they help you get cleaned up
make a note of which aps have vaild entries (make a copy of the legitimate log file)
and run hijackthis after you install legitimate software so you can note new entries
(replace the copy of the legitimate logfile)
its then real easy to spot new invalid entries

a more serious infection requires more serious tools,

Do an online scan at TrendMico or Symantec (or both)
the first thing most malware will do once its past whatever defense you have is circumvent the firewall and antivirus scanners\monitors,
it can do this because its hard coded to look for a program in its default location, or it can attack the process directly (see following post)
since your scanning remotely your thus circumventing the cirumventing
however Id still follow the following proceedure

Installation Note
install all the security aps to nondefault directories
as in if it wants to install to C:/TDS-3,
say no and install it to a folder you make like
C:/pH33rNo3ViL/Trojan3

Then install the trial of Process Guard
it will detect any process the 1st time it runs and you have to approve it
you might be able to catch the malware right there trying to circumvent a security ap install, its recently changed how it installs by default, so now you need to switch off learning mode and remove evrything its "learned", then it will give you a each process as it tries to run

Download and trial
NOD32 (or another AV Scanner) 2nd Choice Kaspersky
TDS-3 (or another Trojan Scanner) 2nd Choics TrojanHunter
Port Explorer (or another Firewall monitor, not the one you currently have)
A Firewall, a different one than you currently have as its likely compromised

Scanning and Configuration

NOD32
Installation Guide (PDF)
to configure AMON click the white floppy disk icon with the red cross on it that is in your taskbar then > setup > accept the defaults
for NOD32 > Start > Programs > Eset > NOD32 > Setup Tab > Accept the Defaults
Download the latest Definitions and do a full scan

TDS-3
Install trial and manually update the definitions (instructions on how to do that), to config TDS-3 >Configuration Button > Startup tab > Check all > Save
Scan Control Button > Check all except the NTFS ADS Streams > Load Scans in the top window > Start Scanning it will peg you resources a nice time to take a break
(ADS Streams are Alternative Data Streams in NTFS, and scanning them would take forever)

also grab a registry monitor and a filechecker that monitors your security exe for changes
------------------------------------------------------------------------------------------------------------------------------

a personal security software list

Scanners
NOD32
TDS-3 (with exe protection)

Execution Protection\Patches
WormGuard (with exe protection)
WSH Anti-Polymorphism Patch (freeware)
AnalogX Script Defender (freeware)
Symantec's noscript.exe (toggle on and off WSH) thanx OldMX :D
Spyware Blaster

Monitors\firewalls
PortExplorer
Process Guard
Kerio Personal Firewall2 (was freeware) supplements hardware NAT
Taskinfo 2003
RegistryProt (freeware)
Filehecker (freeware) a monitor for critical system files

Filters
Pest Patrol
Proxomitron (freeware)
CookieWall (freeware)
SpywareGuard (freeware)
BHODemon (freeware)

Spyware Removal
AdAware (freeware)
SpyBot Search and Destroy (freeware)
HijackThis (freeware)
CWShredder (freeware) CWTrojan removal tool
MRU Blaster not spyware per se this however cleans Most Recently Used Lists, info Spyware can tap into

Checksums
Haxial Hash (freeware)
fsum (freeware)

______________________________________________________






then get serious about your config and security audits
investigate setting up a dedicated Intrusion Detection box

rampant paranoia 101


a personal checklist
---------------------------------------------------------------
install Service Pack and hotfixes
close the vulnerable NetBIOS ports and cleanup bindings
Cofigure IPSec
Retrict access to LSA info

disable unecessary services

disable Guest account
setup my user account
rename Administrator account
create fake Administrator account (disabled)
enable network lockout of the true Administrator account
Limit the number of logon accounts

remove the "Everyone" group and replace with "Authenticated Users" shares
disable default hidden shares, administrative shares, IPC$

disable HTML in e-mail
disable ActiveX
disabling or limiting WHS\VB\Java\Java Scripts (install HTAstop, Script Defender, noscript.exe)
rename shscrap.dll to shscrapold;
Unhide File extensions, protected files, all files and folders

Enable Encrypted File System
Encrypt the Temp Directory
setup to clear the paging file at shutdown
lockdown the registry

disable dumpfile creation
remove insecure subsystems (OS/2 and POSIX)

protect or remove: arp.exe \ at.exe \ cacls.exe \ cmd.exe \ Command.com \ cscript.exe \ debug.exe \ edit.com \ edlin.exe \ finger.exe \ ftp.exe \ pconfig.exe \ Issync.exe \ nbtstat.exe \ net.exe \ Net1.exe \ netstat.exe \ netsh.exe \ nslookup.exe \ ping.exe \ posix.exe \ qbasic.exe \ rcp.exe \ regedit.exe \ regedt32.exe \ regini.exe \ rexec.exe \ rsh.exe \ route.exe \ Runas.exe \ runonce.exe \ telnet.exe \ tftp.exe \ tracert.exe \ Tlntsvr.exe \ wscript.exe \ xcopy.exe
remove the .reg file association from the registry editor
these all make it much harder for someone that has already compromised your computer
it there is a brain behind the attack (a hack or trojan) then they would need to reenable these if they can, which might tip their hand, the same goes for an automated attack like a worm, if it could manage it at all, and many more minor peices of malware\spyware, rely on some of these for infection or more accurately reinfection like runonce.exe, regedit, ect or as the vector for infection in more serious malware like ftp or telnet

Install and schedual trojan scanner, anti virus and intrusion detection
Install and configure Worm Guard

Install Firefox and Lockout access to Internet Explorer with NTFS Permissions to all accounts other than the Administrative Account

configure security policy control
enable auditing (logon, object, privilege, account management, policy, system)
set permissions on the security event log
set account lockout policy
assign user rights
set security options
configure firewall

Test
Run Baseline Security Analyzer (freeware)
> connect to the internet
Run NessusWX (freeware)

Do a remote Port Scan

Its extremely rare any one box would get all of those
but I consider all of them
--------------------------------------------------------------------------------------------------------------------------------

My Security Linkfarm at Radified
In bad need of an update
______________________________________________________

A conversation with Lance Spitzner, Sun Microsystems senior security architect
and a founder of the Honeynet Project
a Honeynet (or pot) is a system that is bait for intrusion so it can be detected, monitored, mined for data and techniques
and eventually deflected, causing no harm from it, not an easy thing to do, considering the intruder has "root"

Excerpted Transcript
Used with permission from both Lance Spitzner and Dana Greenlee Producer and co-host of the WebTalkGuys
but she is a Lady, and very nice one for letting me do this ;)
and of course Lance for taking time out to give me permission and answer a few questions.

We join the discussion of Honeynets in the middle here

WebTalkGuys: Well Lance lets talk about bait, I mean why would...
does a hacker come to one of these sites just because...
or one of these computers, just because he can or
is there something on there that he'd want,
Do you care about that?

Lance: Thats actually one of the most amazing things,
if you just put a computer out there that has no percieved value
it will probably get scanned 10 to 20 time a day
this is any system Im not talking about corporations, small businesses
If any of your listeners have a connection at home
a home connection dsl cable isdn
and they have a dedicated connection
they are most likely getting scanned ten to twenty times a day, also
just as our systems are
the bad guys are being very active,
because it very simple to hack
you just download a tool and run the tool

WebTalkGuys: Why are they doing this though? dont these people have jobs?
Dont they have lives themselves or do they just sit around?

Lance: Well its very interesting and its one of the things weve learned
beacuse of these honeynets we see what these guys do afterwords, so we can monitor the motives
there is a misconception that people think that alot of these attackers are
misguided youths out exploring the internet
the reality is that the vast majority of these individuals
are criminal intent, in other words to make money
we see alot of time peolple hacking systems and
scanning for stolen credit cards
or thier launching attacks against other organizations
and potentially getting paid for it
or they are dealing in stolen music,
videos, licensed software such things called warez
people scanning or scouring the internet for email addresses
to build databases of stolen email addresses to sell to spammers
stolen paypal accounts
stolen ebay accounts
there is just a tremendous amount of criminal activity going on

WebTalk Guys: Ok so its really a malicious type of environment

Lance: Extremely hostile

----------discontiuity-----------------

a large percentage of the bad guys really dont care what systems they break into
they simply download an automated tool that
will literally scan 16 million computers in a night
and any one of those 16 million computers is vulnerable
the program will break into them

----------discontiuity-----------------

WebTalk: What are some of the most hacked operating systems out there?
Everybody has heard about Windows, but is Windows really the most hacked operating system on the internet?

Lance: No everybody is a potential victim, Windows tends to be very popular just because if the bad guys are going to develop an exploit he gets the biggest bang for the buck, for Windows.

we also tend to see alot of focus on Linux just because Linux is a free operating system
so more economically depressed countries its easier for the bad guys to get access to this OS, understand this OS and attack the OS
For example countries like Romania, Eastern Europe very economically depressed,
so we tend to see
alot of hacking activity coming out of those countries

WebTalk Guys: OK cause certainly as far as the numbers of computers that are connected to the Internet most of them are Unix and Linux arent they as far as the overall number?

No I would actually disagree I would say the growing majority is more in the
Windows side as more and more home users are connecting via broadband

WebTalk Guys: Well thats true and thats a fairly recent phenomenon

Lance: Exactly
and the very scary thing is thats why its becoming easier for hackers because people have this misconception that bad guys only target buisnesses or companies, but they dont realize
anybody, any system with an IP stack is a target
so you have these millions of home users coming online
that have no conception of security, who dont beleive theyre a target,
this becomes a very target rich environment for the bad guys.


----------discontiuity-----------------

More >
Click to expand...
 
Known Direct Process Attacks @ DiamondCS

This section documents the main types of attacks that processes can launch against other processes on a local system (such as a trojan attacking a security program, a rootkit injecting into a system process, or a firewall "leak test" attempting to hitch on a web-browser).

These process vs. process attack techniques can typically be categorised into three distinct, but related groups:

Termination - the attacking process attempts to kill the target process. This is the most common attack.

Suspension - the attacking process attempts to suspend the target process (usually by suspending all threads belonging to the target process), leaving it resident but in an inactive, frozen state.

Modification - the attacking process attempts to modify or inject code in the target process, usually with the intent of changing the behaviour of the target process, or hiding its own code in the context of the target process. The target process remains resident and active, but in a modified state.

However, there are other types of attacks, including:

Hooks - the attacking process attempts to load a DLL into all processes on the system that use user32.dll, allowing it to then perform functions on behalf of other processes. This can make termination attacks easy, as well as firewall leak-tests, as well as password-stealers, as well as keystroke-loggers, and more.

Thread Activation - the attacking process attempts to start a thread in another process, usually with the start address being a function like ExitProcess, or in the case of the Windows File Protection attack, a function that unloads Windows File Protection.

Leaktests - the attacking process attempts to transmit data to the Internet, usually using advanced techniques such as hooking and thread activation in order to bypass firewalls. Although not originally designed as an anti-leaktest program, Process Guard has been demonstrated to have remarkable results against such programs.

Drivers - kernel-mode drivers (.sys files) have the power to perform some very low-level functions, and in the case of rootkits they can actually modify the behaviour of critical operating system functions.

All of the attacks represent a very serious and very real threat to local system security, particularly because the majority of people execute programs on their system without actually knowing what the code in the program does

Attacks in Detail

Code Modification

Process Termination

Miscellaneous Attacks

Rootkits

Global Hooks

Leaktests

Password Stealers

Keystroke Loggers

Disabling Windows File Protection
 
Poject Honeynet Security Papers
The Know your Enemy Series
Highly recommened

Know your enemy 1
How Probes, Idenetification and Exploits are employed
to compromise a system

Know your Enemy 2
How to detect attempted intrusions, identify the tools being employed
and vulnerabilities that are the target

Know your Enemy 3
What happens during a compromise "They Gain Root"
How tracks are covered, and how systems may be altered

Know Your Enemy: A Forensic Analysis
How to assess a successful attack and the lesssons to be learned from it.

Know Your Enemy: Motives
The Motives and Psychology of the Black-hat Community

Know Your Enemy: Worms of War
Worms as automated probes that ID and exploit exponentially

Know Your Eenemy: Passive Fingerprinting
How to learn more about the enemy, without them knowing it.


Operating System Security Guides
NSA Security Guides


Fauna
Virus Overview
Trojans
Worms
Why ActiveX is insecure
Hostile Java Applets
VBS, WSH and wscripts \More
Macro Viruses
Boot Sector Viruses
Multipartie Viruses
just a few forms of malware, more can be found in the Lists below


Malware Lists
Virus Bulletin
Viruslist.com Encyclopedia
VirusLibrary
Symantec Virus Database and threatl ist
McAfee Virus Information Library
Kaspersky Virus Encyclopedia
Sophos Virus Database with a content by type as well as alphabetical
Wildlist.org

Hoaxes and Scams
Hoaxbusters
Crimes of Persuasion
McAfee Hoaxes
Hoax News
Symantec Hoaxes
Urban Legends Search Page
Vmyths


Forensics
Forensics for Beginners
Firewall Forensics must read ;)
Common Firewall False Positives


Port Reference
iana.org
Network ICE Port Knowledgebase
Common Trojan Port List


Scanners (Online Tests)
Anti-Trojan Online Port Scan
Blackcode Online Port Scan
HackerWatch.org Port Scan
PCFlank Port Scan and Privacy Check
mycgiserver Port Scan
DSL Reports Port Scan
Securitymetrics Port Scan
GRC Port Scan take anything Gibson says with a grain of salt :rolleyes:
Sygate Port Scan
HackerWhacker Security Scan plus news ect
Symantec Security Check
Guardwall Popup Test
Qualys Browser Staelth Test (you pass this with a local host proxylike Naviscope)
TrendMicro Online Virus Scan

Security Scanners
Nessus
Microsoft Baseline Security Analyzer V1.1
Microsoft Personal Security Advisor


Tutorials\Info
my NetWatchman
ComputerCops
advICE database
SANS Knowledge Base
SpywareInfo.com
Insecure.org
Nastylop
SearchSecurity
SecurityFocus
Cheapbox Linux Firewall
Tutorial Linkfarm
Disabling VBS scripts from automatically running


Forums
Wilders Security Forum one of the best
SANS security forums This is the big leagues (SysAdmins, enterprise level)
Computer Cops Forums
DSL Reports Security Forum

Beyond that there is Network topology, Multiple Operating Systems and Guardians, Packet Sniffers, inspectors and Intrusion detection
Snort
Hogwash
OpenBSD\Security
Bastille Linux Linux Hardening scripts
 
i believe www.grc.com has some assembly stuff that is useful to most windows users.

like:

UnPlug n' Pray

DCOMbobulator

Shoot The Messenger

Socketlock

all in pure assembly so it runs real fast ^^

hope this helps to build a better secured web community

:D
 
a rootkit will hide a virus or spyware from any scan
Chuck said:
[H]ardNews 2nd Edition Saturday April 16th

Rooting around Windows:
Rootkits in a Windows environment stealth more vicious code, like worms, viruses or spyware and are becoming pretty common in the later. If your scanner can't see it, it can't remove it. In all the excitement of patch day, many may have missed that Microsoft's Malicious Software Removal Tool has a new update for rootkits.

"It is the first time Redmond has added rootkit detection capabilities to the free Malicious Software Removal Tool, a move that underscores the increased prevalence of stealth rootkits on Windows machines.
In all, Toulouse said four child variants of the stealth rootkit will be detected. Hacker Defender (Win32/Hackdef) is a family of backdoor Trojans capable of creating, changing and hiding Windows system resources on a computer that it has infected."


Rooting the Finnish Way
F-Secure has a new beta rookit detection tool that is free to use until May 1st, F-Secure BlackLight Beta.
As well a specific malware freeware removal tools, including the popular F-Secure Anti-Virus for DOS.

"The rootkit itself does'nt typically cause deliberate damage. Its purpose is to hide software. But rootkits are used to hide malicious code. A virus, worm, backdoor or spyware program could remain active and undetected in a system for a long time if it uses a rootkit. The malware may remain undetected even if the computer is protected with state-of-the-art antivirus. And the antivirus can't remove something that it can't see. The threat from modern malware combined with rootkits is very similar to full stealth viruses that caused a lot of headache during the MS-DOS era. All this makes rootkits a significant threat."


Pro Rooting
Sysinternals RootRevealer is another freeware rootkit tool thats has a bit more advanced interface and compares the highest level of the Windows API and the lowest level of the raw contents of a file system volume or Registry hive and looks for discrepancies.

"Since persistent rootkits work by changing API results so that a system view using APIs differs from the actual view in storage, RootkitRevealer compares the results of a system scan at the highest level with that at the lowest level. The highest level is the Windows API and the lowest level is the raw contents of a file system volume or Registry hive (a hive file is the Registry's on-disk storage format). Thus, rootkits, whether user mode or kernel mode, that manipulate the Windows API or native API to remove their presence from a directory listing will be seen."
Click to expand...

if something is constantly reappearing, a good bet is you have a rootkit somewhere
warez & crackers are a favored means to get a rootkit on a box
questionable freeware or compromised freeware too, your placing trust everytime you hit an .exe
 
Why is it that every site i click on this thread, it redirects me back to microsoft?
 
jotns said:
Why is it that every site i click on this thread, it redirects me back to microsoft?
Click to expand...

The reason is it looks like a number of the links are formatted incorrectly. They are reading http://\"http://www.xxxxx.xxxxx"
 
You must log in or register to reply here.
Back
Top