Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

08 March 2006 | 16,471 views

SSL VPNs and OpenVPN – Part II

Check Your Web Security with Acunetix

2. Why OpenVPN

Here, in this article, I will lay down the emphasis on one important Open-Source SSL VPN software written by James Yonan and contributed by several others, which proposes security without the inherent complexity of IPsec AND using a trusted design of client component and VPN server.

Usually VPNs require end points which are trusted. The server and client are machines with elevated levels of trust as VPN components are installed on known machines which participate in corporate network according to security policy. Additionally, it is made sure that authentication credentials are pre-installed (in a secure way) on both of these devices so that each endpoint could authenticate each other.

SSL Remote Access connections nee. SSL Gateway clients, allow users to connect to VPN servers irrespective of the machine. The client can be any machine in cybercafe or public terminal. This brings us to two severe security issues. One, we break the trust model. The server and client no longer share the authentication credentials using secure channel.

Two, users connect from machines that are not subject to corporate security policies. Even if the user manages to start SSL session with SSL gateways, they are doing all their input and output on an unknown insecure machines that might as well be worm clearinghouses.

The propensity of a public machine loaded with keystroke loggers and remote management tools that allow the attacker to sniff passwords and collect session data is very high. Untrusted Clientless VPNs on an arbitrary machine is the weakest link in a security chain.
OpenVPN adheres to secure computing practices with a software component installed on the endpoints.

From the OpenVPN website:

“OpenVPN is a full-featured SSL VPN which implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or username/password credentials, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface.
OpenVPN is not a web application proxy and does not operate through a web browser.”

Another reason: OpenVPN is FREE. And works on Linux like OS’s AND Windows.

Next: we will learn how to implement a VPN Tunnel using OpenVPN.

Read on in Part III

Previously:
1. SSL VPNs and Using OpenVPN : What is an SSL VPN



07 March 2006 | 27,275 views

SSL VPNs and Using OpenVPN

Requirement: To connect to a VPN server in a different country.

Situation: A country which has proxies at every gateway.

Issues: VPN based on IPSec is fussy when it comes across networks which are NAT’ted/ proxied. The Security Parameters Indexes don’t match and clients do not get connected.

Objective: To connect VPN server in a corporate network using some flexible VPN which I can run on any port/transport protocol so as to bypass the port/protocols/applications restriction.

Using these factors I came to conclusion that I needed SSL VPN solution. The following article explains the SSL VPN nuances and advantages of using them in certain situations.

Contents:

  1. What is an SSL VPN
  2. Why OpenVPN
  3. brief How-to (site-to-site and client to site)
  4. Nutshell

1. What is an SSL VPN

For a very long time, people in information security have thought IPSec is THE VPN and SSL is for secure online banking. While SSL has traditionally been used for Web site security purposes, SSL’s applications reach wider than just web proxying and application security.

Traditional SSL VPN started off with products that were more like SSL gateways instead of true VPNs. These products cannot be really termed as VPN but more like “Secure Remote Application Access”.

They thrive on a management facade called “Clientless VPN”. A VPN that can be established with any web browser without installing a software component sure promise less pain for users and administrators alike, but it comes with certain caveats that we will talk about later.

In the past, IPSec has been used as THE technology to create a VPN Site-to-site or site-to-client tunnel. IPSec has since long enjoyed widespread implementation because of its monopoly on function, although it has received its fair share of criticism for being too complex, and tightly coupled with Operating System.

IPSec came out in November 1988 with a series of RFC’s defining the protocols necessary to create VPNs. This RFC (2401-2412) represented a backbone of IPSec technologies. While IPSec does provide for a framework to establish a secure tunnel, it comes with a lot of complexity. Since complexity and security is inversely proportional, there are so many things with IPsec that may go wrong with wrong implementation. Thoroughly understanding everything and grappling with issues like Nat-T is something not everyone would be comfortable with.

Apart from that, IPSec being coupled tightly with Operating System doesn’t induce a sense of security. Any program integrated with kernel is against secure computing architecture. A wrong implementation or a security breach could take down the whole system.

Understanding the fact that IPSec is complex, industry started moving towards SSL based Remote Access solutions which may not be as secured as we want them to be. It’s because of the fact that a lot of these solutions push web browser as the client which can be used at any machine. The issue of ANY machine connecting to central site may not be very desirable as machines in cybercafes or public terminals do not form a part of control domain. Its desirable to run your upper layer protocols over SSL because it’s widely implemented and allowed in majority of packet filters.

Yeah…..but WHY OpenVPN??

Read on in Part II


06 March 2006 | 4,466 views

Latest RIAA Bullshit – Fair Use Policy – Can’t Use YOUR CDs on YOUR iPod

Amazing, now ripping YOUR OWN CD’s to use on YOUR iPod is not fair use according to the new DMCA rulings currently being created.

As part of the on-going DMCA rule-making proceedings, the RIAA and other copyright industry associations submitted a filing that included this gem as part of their argument that space-shifting and format-shifting do not count as noninfringing uses, even when you are talking about making copies of your own CDs:

“Nor does the fact that permission to make a copy in particular circumstances is often or even routinely granted, necessarily establish that the copying is a fair use when the copyright owner withholds that authorization. In this regard, the statement attributed to counsel for copyright owners in the MGM v. Grokster case is simply a statement about authorization, not about fair use.”

For those who may not remember, here’s what Don Verrilli said to the Supreme Court last year:

“The record companies, my clients, have said, for some time now, and it’s been on their website for some time now, that it’s perfectly lawful to take a CD that you’ve purchased, upload it onto your computer, put it onto your iPod.”

If I understand what the RIAA is saying, “perfectly lawful” means “lawful until we change our mind.” So your ability to continue to make copies of your own CDs on your own iPod is entirely a matter of their sufferance. What about all the indie label CDs? Do you have to ask each of them for permission before ripping your CDs? And what about all the major label artists who control their own copyrights? Do we all need to ask them, as well?

I wish they would just make their collective minds up, or lack of minds or whatever you want to call it.

Digital Restrictions Management indeed.

Source: EFF


06 March 2006 | 7,289 views

Anti-Spyware Software Wars – Can’t they get along?!

Last year, we noted how some security products could cause conflicts that would cause computers to lock up — but there’s another (less troublesome) trend that’s happening as well: security products declaring competing products as malware and removing them.

Just a little over a week ago, the latest version of Microsoft’s anti-spyware offering declared Symantec’s anti-virus offering as malware. However, it looks like Kaspersky Labs has Symantec’s back on this one. Its latest anti-spyware offering flagged some Microsoft anti-virus software as being malware. Of course, this was bound to happen, since many security products often have to do things that look quite like malware.

This is only likely going to get worse — and many of these standalone companies might want to start thinking about proactively trying to deal with the issue. In the meantime, it seems like the security suite providers should be using this as an opportunity to hype up how their combined offering does everything in one package (even if that’s not quite true), so you never need additional, conflicting software.

According to several different support threads over at Microsoft’s user groups forum, the latest definitions file from Microsoft “(version 5805, 5807) detects Symantec Antivirus files as PWS.Bancos.A (Password Stealer).”

When Microsoft Anti-Spyware users remove the flagged Norton file as prompted, Symantec’s product gets corrupted and no longer protects the user’s machine. The Norton user then has to go through the Windows registry and delete multiple entries (registry editing is always a dicey affair that can quickly hose a system if the user doesn’t know what he or she is doing) so that the program can be completely removed and re-installed.

I put in calls to Microsoft and to Symantec on this issue, but am still waiting to hear back from both companies.

Source: Washington Post

I have had similar problems in the past with things detecting HijackThis! or Spybot as Malware..or playing with having two level 7 firewalls installed.


05 March 2006 | 3,426 views

RIAA Dirty Tricks: Gathering Private Info On Kids Of Accused File Sharer

The RIAA’s latest tactic, is to reveal to Santangelo and her new lawyer that they’ve been investigating her children, and have been able to collect a lot of non-public information. The RIAA will probably claim that the info is related to the case, but it certainly borders on using scare tactics, and trying to intimidate Santangelo into backing down.

The Big Four record labels are escalating their attack on Patti Santangelo, the New York mother who’s so far the only person to stand up to them.

And they’ll be using her children as weapons against her.

On Tuesday judge Mark D. Fox presided over a discovery hearing in Elektra v Santangelo and, “Elektra’s attorneys have answered Patti’s objections to their discovery questions,” her lawyer, Jordan Glass, told p2pnet.

“They’ve started to push back aggressively. They’re going after her children – and this time not directly so they can get around certain protections the children have. They had information about the children that wasn’t public, or wasn’t supposed to be public, and it’s of great concern not only that that they were able to obtain it, but also that they wanted it.

“They’re not treating this as a single case or as seeking a verdict for $3,500.00. They’re treating this as a symbol for how the other cases will go and I hope everyone who reads this will recognize the serious impact this case could have on their children.”

The RIAA has spent enough to feed a small country on trying to make the world believe it’s owners, the multi-billion-dollar Big Four labels, are being “devastated” (their word) by people who share music online, that contracted artists are suffering and that support workers are being driven into extreme financial hardship.

They make the completely unsupportable assertion that people using the p2p networks to share files would otherwise have paid $1 or more to buy the song from an online corporate music site or an offline music store.

Source: p2pnet


04 March 2006 | 3,531 views

Your Employees Don’t Care About Your Data

So you better make sure you do.

As we discussed in the article on Social Engineering in Penetration Testing, it’s not that the employees don’t care as such, it’s that they don’t know. They haven’t been educated, they are ignorant, their awareness of best practise is low.

An experiment carried out within London’s square mile has revealed that employees in some of the City’s best known financial services companies don’t care about basic security policy.

CDs were handed out to commuters as they entered the City by employees of IT skills specialist The Training Camp and recipients were told the disks contained a special Valentine’s Day promotion.

However, the CDs contained nothing more than code which informed The Training Camp how many of the recipients had tried to open the CD. Among those who were duped were employees of a major retail bank and two global insurers.

The CD packaging even contained a clear warning about installing third-party software and acting in breach of company acceptable-use policies – but that didn’t deter many individuals who showed little regard for the security of their PC and their company.

Rob Chapman, CEO of the Training Camp, who carried out the stunt to promote a course in security for non-IT professionals, said: “Fortunately these CDs contained nothing harmful. No personal or corporate data was transmitted due to the actions of these individuals but the fact remains that this could have been someone wanting to cause havoc in the City.”

Chapman claimed the “potential outcome could have been disastrous”.

Source: Silicon

It shows what you can do with a little bit of imagination, a Japanese bank fell victim to a Spyware infection last year that led to the thieves almost getting $300 million.

The moral of the story is, educate your staff, it IS important that you tell them. People don’t inherently know what is right and wrong when it comes to computers, what they should and shouldn’t do.


03 March 2006 | 9,206 views

Norton Internet Security ‘Keylogger’ IRC Bug

It seems like script kiddies have been taking full advantage of the bug we talked about in the Symantec software. Do companies never learn?

Script kiddies have been taking advantage of intrusion prevention features of Symantec’s Norton Firewall and Norton Internet Security Suites to knock users offline in IRC channels, according to an amusing post at Washingtonpost.com. From the article: ‘Turns out that if someone types “startkeylogger” or “stopkeylogger” in an IRC channel, anyone on the channel using the affected Norton products will be immediately kicked off without warning.

These are commands typically issued by the Spybot worm, which spreads over IRC and peer-to-peer file-swapping networks, installing a program that records and transmits everything the victim types (known as a keylogger).’ Makes you wonder what other magic keywords produce unexpected results with Symantec’s software.

Reminds me somewhat of the whole ++ATH0 thing.

startkeylogger
phonex has quit (Read error: Connection reset by peer)
TomA has quit (Read error: Connection reset by peer)
something3280 has quit (Read error: Connection reset by peer

It’s kind of ironic, using the software that’s supposed to be protecting someone..to disrupt their Internet experience ;)

Now if only the script kiddies could put their group brain together and come up with something useful.


02 March 2006 | 12,229 views

Norton Antivirus Funny Bug

the following exploits (if we can call it this way) was published on securityfocus bugtraq mailinglist… it is entirely reproduced in the following lines:

Norton Internet monitoring tools issues
Versions Affected : *
Fix : No

What im writing about is how to stop the internet of some user that is
using the norton tools and IRC / any other chat at the same time.

By default norton monitor checks for words like “keylogger” , “start
keylogger” , “key logger” and etc.etc.

Example for irc :
Start a mIRC or any other IRC client that u like and connect to some
server.
Type down /ctcp yournick start keylogger . By default norton monitors
your mIRC Process and your logs of it so it sees “star keylogger” and
automaticly blocks mIRC.exe from starting and automaticly blocks port
6667 or whatever port ure using to connect to IRC. Nice eh ?

Aleksander Hristov

So you should be in a small manner paranoic when using Norton tools…


02 March 2006 | 4,968 views

The RSS Tools That Diggers Use

Interesting to see which RSS aggregators and readers Digg users are using.

As you can see after being ‘digged’ on Monday February 27th, the RSS subscriber base spiked from about 21 up to 182 at the highest point, after a day it receded back to around 150, and now it’s about 130.

Darknet RSS Spike

The biggest Agent in the graph by a large margin is Google Desktop.RSS Reader Distribution

Some of the figures are not so accurage as services like Kinjo don’t give the number of subscribers.

Firefox Livebookmarks is also high, which I was expecting.

3rd place goes to Bloglines, probably the most popular web-based blog/RSS aggregator.

The RSS subscription percentage is quite high aswell, as around 20,000 people came on that day, and around 160 subscribed.

The above pictures were taken from the shiny new updated Feedburner control panel.


02 March 2006 | 15,980 views

How Computers Work – Free E-book

This is a tutorial web book. All 152 pages of the large paperback book with 96 diagrams are on 38 web pages here.

Even if you know nothing about electronics, you have come to the right place.

If you are wondering how microprocessors work, you have come to the right place. A microprocessor is a small processor.

How Computers Work

If you already know something about electronics, don’t be put off by the fact that the book starts out very simple and uses relays instead of transistors. You will get through the first chapter quickly. See web page 24, below, for just how complex it gets.

If you have a very fast connection (DSL or cable modem), then you can click the following link to see an easier to read (PDF) version of the book. It is 783 kilobytes, so it will take a while.

PDF Version

Full information here:

How Computers Work