Security

The following will allow you to view your Zoneminder stills from the previous blog post on most web browsers including an iPhone. You need the stylesheet and expand settings if you plan on viewing stills through an iPhone without having to double-tap the image on every refresh. The php variable following ?time= is necessary to prevent Safari from displaying cached images.

Create a file called webcam1.php:

Create a file called style.css or append the following to your current stylesheet:

This bash script will get the latest Zoneminder webcam images using inotifywait and copy it to a local or remote folder every 5 seconds. Implement this script when streaming is unnecessary and you don't want to expose your Zoneminder systems to the internet (low bandwidth monitoring and low disk space archival).

Notes: You must have inotify-tools installed: yum install inotify-tools. I use sshfs to automatically mount remote system folders.

OS: CentOS 5.3 i386
Kernel: 2.6.18-128.1.10.el5PAE

KeePassX is a useful tool for any individual with numerous accounts, and critical for systems administration where 20+ character passwords are changed often. These instructions will allow you to run KeePassX 0.4.0 in a CentOS 5.3 X Windows Environment.

1) Remove qt-devel to prevent conflicts:

sudo yum remove qt-devel

2) Install required packages:

sudo yum install kernel-headers gcc-c++ libXtst-devel libXi-devel libXfixes-devel

3) Add the bleeding edge ATrpms repo, then install qt44 related packages:

sudo yum install qt44 qt44-X11 qt44-devel

OR

3) Download the RPMs from ftp.pbone.net. WARNING: If you don't trust the package, don't install it or review the code before installing with a rpm2cpio packagename | cpio -idmv.

4) Download the latest version of KeePassX from http://keepassx.sourceforge.net.

5) Verify the package's sha1sum:

sha1sum keepassx-0.4.0.tar.gz

6) Extract the package contents:

tar xvfz keepassx-0.4.0.tar.gz

7) Change your directory to the keepassx-0.4.0 folder:

cd keepassx-0.4.0

8) Configure and install:

sudo qmake-qt44
sudo make
sudo make install

After a successful installation, you will find KeePassX listed in your Gnome menu - Applications | Accessories | KeePassX.

No surprise here, internal breaches from disgruntled employees and human stupidity are worrisome for security professionals around the world. There's so many attack vectors to consider when an individual has physical and virtual access to systems sitting in your company's LAN.

Become an Infosec Nazi, if you aren't already (for your peace of mind):

• Time to lock Administrative permissions down to core staffers (no installation privileges for end-users).
• Block Facebook, Myspace, and other social networking sites on the router.
• No USB drives/CDR/DVDR allowed on premises.
• Configure all systems to not use bluetooth and USB.
• Encrypt your vital data using Truecrypt or PGP.
• Ensure copies of encrypted vital data are in offline systems.
• Probe with Nessus/BackTrack for systems running unwanted services and unusual open ports on a regular basis

Most of these cyber attacks come from rival nations, which raises serious red flags. The level of sophistication and amount of brazen attacks requires considerable knowledge/funds. Cyber warfare isn't just a good science fiction plot, it's reality.

Finding and prosecuting cyber attackers is a joke. Anyone with open source tools can steal someone else's wireless connection, then SSH server hop around the world and perform attacks. Then they can cover their tracks (if they even care to do so) without fear of being identified.

There are so many attack vectors to consider, how can you realistically mitigate compromises internally and externally for a government workforce of millions?

Security researcher Moxie Marlinspike presented "SSLstrip" at Black Hat DC 2009. SSLstrip allows attackers to perform man-in-the-middle attacks that can be carried out from WiFI networks, local area networks with a single internet access point, and onion routing networks like Tor. SSLstrip includes a proxy mode, where connections between the user and SSLstrip are displayed as being secure with a bogus padlock.

Websites that use SSL encryption would have to "encrypt everything" according to Marlinspike -- to protect against this man-in-the-middle attack. Most websites will be reluctant to do such a thing, as encrypting all content over SSL requires more powerful hardware.

I'd have to say SSLstrip will be downright scary in the hands of the wrong people. Most of today's badware is geared towards financial theft, and SSLstrip will be an effective weapon.

Matt Weir, a PhD student at Florida State, presented "Enough with the Insanity: Dictionary Based Rainbow Tables" at Shmoocon 2009. The dictionary based rainbow table password cracker program is called drcrack, and it's based off rcrack.

Description and download for drcrack can be found at http://reusablesec.googlepages.com/drcrack

Anyone using dictionary words or mangled variants of dictionary words should consider moving to a better password algorithm method. I personally use the first letters of multiple phrases (that are significant to me) mixed with numbers and special characters

I'm guessing the next step is to have a table of common/hot phrases, first letters of phrases and texting lingo to mangle for brute force cracking.

Sadly, I didn't attend Shmoocon 2009 - there's always next year.

Important points from the linked article:

1. Malware increased by 400 percent during 2008.
2. 80 percent of 800 companies believed the malware was for financial purposes.
3. 42 percent of companies believe laid-off employees posed the greatest risk to their data.

"This was a very insidious type of malware that was designed either to steal your data, steal your identity, steal your money, and in many cases the scale as well as the sophistication was very alarming," said McAfee CEO David DeWalt at the World Economic Forum.

The worsening economy coupled with laid-off employees (possibly disgruntled) is the scariest bit of news for CIOs. Not only do you have shrinking budgets, but now you have to worry if Joe Blow planted malware, stole source code, or made off with copies of sensitive data.

USB flash drives currently hold up to 64GB with 128GB coming by 2010. There could be a lot of pilfered data (in someone's pocket or purse) walking out the door of your business. How would you know?

Most people spend their time on social networking sites during "lunch breaks." Then there are the paranoid who can't get enough computer security news and knowledge. There's so many sites out there to choose from, but these are what I read on a regular basis.

1. NetworkWorld - Constantly updated with excellent features and news articles including security. Alexa Ranking: 16,198
2. SecurityFocus - Not as much content as NetworkWorld, but a worthy #2. Alexa Ranking: 35,464
3. Dark Reading - Information for security pros with news and analysis. Alexa Ranking: 91,639
4. LiquidMatrix Security Digest - Dave Lewis and The Intern consistently post links and articles that security pros should be aware of. Alexa Ranking: 597,139
5. McAfee Avert Labs Blog - Numerous researchers blog about security.
6. SearchSecurity - Security specific information and insightful videos.
7. CGISecurity.com - Security news related to web applications.
8. Security Fix - The Washington Post's Computer Security blog with Brian Krebs.
9. Linux Security - News, advisories, and How-Tos for the Linux security community.
10. IT Security - Features, guides and whitepapers geared towards security. Alexa Ranking: 108,428
11. darknet.org.uk - In-depth ethical hacking and computer security blog.
12. Rational Survivablity - Excellent blog and pretty diagrams.
13. DataLoss db - Documents known and reported data loss incidents from around the world.