If you’ve never experienced Amazon Web Services, you’re missing out. Amazon AWS is a penetration testers nirvana. Imagine a plethora of cloud services at your fingertip including storage, virtual machine repository and so much more. And best of all, FREE for the first year. AWS offers free tier services at no risk. You can try before you buy type thing.

AWS leverages Open Source heavily, but for those with weak stomachs Windows is available too. The number of services offered is extensive from Computer power for those hungry applications to Database services, backup and storage services to web applications. There are 19 different services available in the aws management console but I’ll be honest I have not used them all. Some are geared to enterprise markets while other translate well to smaller shops. Personally I’ve used EC2 Virtual Machines and S3 Storage services.

I begun my Amazon AWS adventure with EC2. At the time I needed a Linux host for email hosting, and I needed it yesterday. However I wanted full console access, rather than the typical control panel business most web hosting services offer. Secondly this was a temporary requirement for about a month, therefore it didn’t make sense to sign up for a lengthy contract. After doing some research Amazon AWS free tier was the perfect fit. I signed up and immediately was able to create a virtual machine instance from an AMI image. These are stock VM images ready for cloning. AWS, offers choice and flexibility with respect to Linux flavour, however the free tier is limited to Red Hat Enterprise. If you want a custom Ubuntu AMI, you can have it but not in the free tier. For me it didn’t matter much, I was comfortable with Red Hat. Within literally 10 minutes I had a Linux VM running in the cloud, with full SSH shell access.

I installed reuqired packages, configured everything, assigned a static IP (AWS calls it Elastic IP), updated my DNS MX record and mail started to flow. The overall experience was refreshing and fairly easy. In the end I kept that VM instance online for a few months before moving it to its permanent home. In the end it cost me $0 and I had fun doing it.

Stay tuned, more Amazon goodies next time.

This type of attack is not as farfetched as you may think. Leveraging the information provided to social media sites by legitimate users make these attacks one of the easiest and unfortunately most successful. The information is made freely available and often the level of personal information posted online would raise red flags in other social settings; but it seems because, its online users loose site of that fact and anything goes. While the majority actually utilize these social services as they were intended to be used, a fringe minority are taking advantage of people’s good will and twisting them for nefarious purposes. However, despite the risk it’s not all doom and gloom. Like it or not, Social Media is here to stay and we must learn proper etiquette to stay safe. There are ways we can protect ourselves and continue to enjoy the benefits of social media.

• Review Social Site Privacy Policy and your account privacy settings.
• Adhere to the least privilege principle.
• Think twice or even three times before posting personal details online.
• Scrutinize invitations, tweets and email messages asking for action on 3rd party web sites ~before clicking :-)
• Use common sense.

Many don’t realize the Internet has an unlimited memory, information posted to 3rd party social web sites may be used and retained by these 3rd parties forever. In some cases once you post, you lose control over the information. It may become impossible to remove or delete. Personally, before I post personal information online, I perform the “telephone test”. It goes something like this; If I received a phone call, asking for the information I’m about to post online, would I be comfortable, providing it to the anonymous caller on the other end of the telephone? If the answer is ‘no’ then I don’t post.

In the short history of the Internet you can find many examples of attacks within each of these categories simply by Google’ing. But let me construct a typical, “Corporate espionage or network penetration” attack scenario.

There is a common misconception amongst corporate circles, that a well protected front door mitigates corporate networks from targeted penetration. In my opinion nothing could be further from the truth. In this case the front door being the typical network firewall. Please don’t mis-understand me, I’m not saying firewalls are obsolete or not required. All I’m eluding to, is the fact an attacker will not waste their time at the front door because it is well protected. Instead most will look at alternate corporate network entry points which typically are not well protected and honestly much easier targets requiring less energy and effort to exploit.

Let’s assume I’m an attacker, and today’s target is Corporation XYZ. If I’m not attempting the direct approach, then what are my alternatives? Well, I could exploit badly configured web servers, but again that requires effort and may draw too much attention. Instead I’ll direct my efforts at the weakest link; “corporate users”. And with the advent of social media and social networks the “user” is becoming the preferred target. So, let’s look at the anatomy of a typical social engineering attack using social media.

A typical attack may begin by using public information published by Coporation XYZ to build a profile of the company and attempt to learn more about its employees. This involves XYZ corporate web site and common search engines like Google, Yahoo, Bing and others. Gathered information can later be used to build credibility during the attack phase; at this point we’re simply gathering information. Let’s assume I’m interested in XYZ research and development, and my discovery phase identified the VP of R&D at XYZ Corp. named John Smith. With my target in hand I can utilize legitimate tools like ‘Maltego’ to gather more specific information about John Smith and correlate results with Corporation XYZ. Maltego’s powerful correlation engine will cross-harvest social networks like LinkedIn, constructing an ever more accurate profile of the target. While harvesting information and correlating a range of social media sites can be accomplished manually, tools like Maltego do it extremely quickly with virtually zero effort from the attacker.

Unfortunately, many don’t realize a disturbing characteristic amongst social media is the information contained within one site, can be useful in attacking others. A good example is the social site ‘Classmates.com’. The information available at sites like Classmates.com can be used to hijack accounts at other social and non social sites. To the detriment of many web users, web sites use password recovery or reset questions like “What High School did you attend?” or “Who was your 9th grade English teacher?” This information can often be harvested from sites like Classmates.com and used to gain access to accounts by resetting passwords. From an attackers perspective, imagine the value of hijacking the credibility of a high profile Twitter account. Most followers of said hijacked account wouldn’t think twice about clicking a malware infested link tweeted from the account. Credibility significantly improves the success rate of attacks, and attackers know this well.

Over the last three years we have witnessed an exponential growth in the use of Social Media like LinkedIn, Twitter and Facebook; both personal and business use. It comes as no surprise then that during that very same time, attacks leveraging these social networking sites have increased dramatically. You may be wondering; Why, and how does Facebook or LinkedIn impact cyber attacks against individuals or corporations alike?

According to Paul Wood, a senior analyst at Symatnec’s MessageLabs Intelligence, the answer is simple: “The amount of information people post to social networks like Facebook and Twitter has made it much easier to social engineer people into thinking a link or message is legitimate.” The fundamental problem with online social networks is they have no built-in authentication system to verify that someone is indeed who they say they are. An attacker can create a free profile on a site like LinkedIn, Twitter or Facebook and design said profile to match the personal or business interests of its target. If the target accepts the attacker as a connection or friend, then the attacker will have gained access to the target’s social network, including contacts, contact information and personal information related to each connection.

If you’re skeptical of Mr. Wood’s claim, unfortunately one does not have to search far and wide for a practical real world example. In a recent study published by the University of British Columbia’s Vancouver campus concerning the potential hazards of social networks, researchers were able to collect and obtain over 250GB worth of personal information. The team created 102 social bots (Wikipedia defines bots as software applications that run automated repetitive tasks over the Internet. Typically, bots perform these tasks at an incredible rate, much faster than possible for a human alone and are perfectly adapted to massive information gathering). These created bots took on the names and pictures of fictitious Facebook users, impersonating real users with regular status updates and released them into the Facebook network. Each bot proceeded to build a sizable friend network by first sending connection requests to a randomly selected list of 5,000 profiles, and continuing with new connection requests to the friends of those who accepted the initial invitation. In total, over the course of the eight week project the researchers were able to successfully obtain over 46,500 email addresses and 14,500 home addresses.

A recent study published by Aspect Security and Sonatype suggests 80% of the code in today’s in-house software comes from frameworks and libraries. I’m not a developer myself, but judging from what I’ve seen in IT circles and water cooler chats with resident developers over the years, I wouldn’t be surprised.

Study researchers analyzed over 113 million downloads by more than 60,000 commercial, government and non-profit organizations and suggested some interesting results. The study claims over 50% of fortune 500 corporations have vulnerabilities in software developed in-house because these typically use open source libraries, and frameworks to decrease development time. The survey results also suggested that 37 percent of all versions of 31 top components contained a CVE or OSVDB vulnerability, and that popular components are only 10 percent less likely to have vulnerabilities than less popular ones. While the survey was limited to 2550 developers, (small sample) it claims that only 32 percent of organizations “maintain an inventory of the dependencies in their production applications, complicating issue resolution when a new vulnerability is discovered.” Study publishers concluded “The risk of vulnerabilities in these components is widely ignored and under appreciated.”

Sometimes the perception of Open Source software is it’s of higher quality simply because of the eye ball effect. (more eyes looking at source code) Clearly studies like this break that bubble and serve as a wake up call. Open Source software should not be treated any differently than commercial software. Mainly because Open Source or not it is all written by humans. While automated updates may not be as easy vs. commercial software, Administrators when deciding to use Open Source should implement a maintenance strategy and the corporate software policy should reflect that too.

If you’re interested in a copy, you may request the study here.

The Raspberry Pi phenomenon has taken everyone by surprise especially its creators at the Raspberry Pi Project. Raspberry Pi hasn’t shipped yet and already demand has outstripped supply. Raspberry Pi is a $35 computer primarily designed to encourage young people and children into Computer Science and programming career paths. While I agree with their mission, that the younger generation and children have to get involved with technology and move past the latest Xbox 360 or Playstation 3 bloodbath games. Technology, to them has become second nature and mostly taken for granted; which to me is sad. What has been lost is the fascination that my generation had with the first computers in the early 80′s. If I think back to the days of Timex Sinclair, Tandy, Vic-20, Atari, Coleco I remember the emotional connection and absolute amazement these devices lit inside me and countless others. The Raspberry Pi project is attempting to bring back lost nostalgia, emotional attachment, that feeling of wonder and the idea anything is possible.

However, I suspect most individuals on the waiting list for one of these devices is a 1980′s nostalgist (like myself) or clever hacker at heart. The size of the Raspberry Pi makes it a perfect hacking tool. Given its peripheral connections i.e. Ethernet and low power consumption, I predict Raspberry Pi will pop up in all sorts of places. Seneca College developed a custom Fedora Remix Linux distribution which should open a whole range of possibilities including network traffic capture, port scanners, network sensors and rogue remote access gateways to name just a few. Think about it, install an SSH Server, configure a reverse connection and viola you have instant access to any network at anytime. What about host enumeration through ping and port scans. With nmap you have an awesome network discovery tool. Of course Raspberry Pi will be used by the good guys (that’s my plan) to develop Snort sensors for detecting anomalous activity. The success or failure of Raspberry Pi’s mission to inspire younger generations is hard to predict, however its popularity in hacker circles is already clear.

Raspberry Pi hasn’t shipped yet, it’s had numerous delays. We’re told it will ship in April or May of this year. While I’d love to be one of the first to try it, I’m holding out for the 2nd production run which we’re told will include a case. Whatever you may think of Raspberry Pi, it is another awesome example of Open Source and Linux working together to bring good things to life.

Recently eWeek published an article where they outlined 6 recommendations for Open Source adoption in business.

1. Develop an Open Source Software Policy

It has been my experience that most companies have buried their heads in the sand and fail to acknowledge the existence of Open Source. Before anything can be incorporated into the corporate culture a policy must be in place that outlines the usage and limitations. Just like your Email, Internet Usage or Social Media policy outlines acceptable behaviour an official Open Source Policy has to be in place describing acceptable use of Open Source in your company.

2. Place Open Source on Equal footing with Proprietary Software

Open Source has gotten a bad wrap over the years. It was and continues to be treated as the poor cousin when compared to commercial software. This of course is driven by misconceptions, negative stereotypes and ignorance. In many ways Open Source code quality is as good and in some cases better and more secure then proprietary closed software. Until Open Source is treated equally with proprietary software it will never be accepted in the Enterprise. There will always be a seed of doubt, a nagging feeling wondering if Open Source is good, trustworthy or reliable.

3. Develop an Open Source Software Support Approach

Paid maintenance and support with proprietary software is assumed and seldom questioned. It’s part of the cost of doing business. Why then, is it so hard to pay for Open Source support? Most Open Source projects offer commercial support for their offerings, yet few of us actually buy in. It may have to do with the history of Open Source and idea of “Free“. If software maintenance and support is part of doing business, then Open Source support should not be treated differently. Paid Open Source support can significantly reduce the anxiety of using and relying on Open Source for critical business processes.

4. Create an ROI Framework for Open Source Adoption

Convincing Senior Management on the merits of Open Source can’t be driven by cost alone. Anyone that believes Open Source comes with zero cost has no clue and should be ignored. While there may be no initial purchase cost associated with Open Source, there are always hidden costs like with any other new technology. These may include User training, IT support training and hardware upgrade costs to name just a few. Many companies make the mistake of simply looking at the bottom line when choosing Open Source. The best approach to Open Source adoption decision process is to calculate the Return On Investment. In other words when deciding between Open Source vs. Proprietary calculate the total benefit to the company over a period of time and compare. Higher benefit equals higher ROI.

5. Audit Current Open Source Software Usage

The first step is acknowledging Open Source is alive and well in my business process. It’s amazing how some levels of management have no clue their critical business processes are using Open Source. A company wide initiative to uncover and document all uses of Open Source will help in acknowledging Open Source is alive and well, and secondly help build a company strategy on the use and adoption of Open Source.

6. Incorporate Open Source Software into your Cloud Strategy

Everyone is talking Cloud these days. Most cloud frameworks are built upon Open Source. Amazon is a perfect example. The inherent nature of Open Source makes it a perfect candidate for Cloud integration. The major Open Source players have well established Cloud solutions, don’t ignore them, instead embrace their cumulative knowledge when building your cloud strategy.

As you may have heard, the Chrome browser has been compromised at Pwn2Own this year. When it happened I swear I felt the earth shake just a bit :-)

But seriously why is this such big news, that everyone (including myself) are writing about it, who knows??. But I suspect, often we seem to work ourselves into a frenzy because we’ve placed an object (in this case Google Chrome) on a high pedestal. Why? Simply because we can, and this is the first time Chrome was compromised in the 5 years Pwn2Own has existed. With such a good track record most believed Chrome was invincible. But why, Chrome is software written by humans who are fallible; we make mistakes.

We should know better, nothing is invincible. Vendors can play marketing games and toot their horns, but the honest truth no vendor will ever say in your face, all software is fallible, and I would think, after so many years we would finally have figured it out on our own, (marketing hype aside) and set realistic expectations and processes in place to mitigate security risks.

Fortunately Chrome has already patched some of the exploits recently announced. And that is great, but what worries me are the other unknown zero day exploits currently compromising our machines we don’t even know about. So how do we protect ourselves; I think the best answer is common sense. No really common sense. If you visit sites with questionable content you’re asking for trouble. If you don’t utilize sensible best practices to keep your identity secure, or don’t care about proper password etiquette then no security tools can help you. Doesn’t matter how you cut it, everything comes back to the user. Unfortunately, the user is always the weakest link in the chain.

With the 6.3 update to my favourite Open Source firewall, the folks behind Vyatta announced a significant change affecting the Community ‘Core‘ Edition. Unfortunately the decision has been made to remove the GUI interface, leaving Vyatta Core enthusiasts with one choice ‘CLI‘ command line interface. Vyatta brass has defended their decision as strictly technical, while others are crying foul and pointing the finger at corporate greed. While I’ve read many forum posts on the matter I have to be honest, I’m still on the fence. While I understand Vyatta is still very much a Start-up, looking to increase revenue I can’t help but wonder is they’ve alienated the community by stripping a popular feature.

Of course I’m disappointed with this change, but lets look at it from Vyatta’s point of view. Competing with Free, as in no cost is challenging at best of times. Growing revenue requires differentiation otherwise why bother. If you were in the market for a firewall and had to choose between Buy or get Free. Which road would you choose? I believe Vyatta executives have struggled with this dilemma since day one. How do we convince potential customers to spend money rather then download free. Sure, Open Source pundits would point ‘Support’, but honestly I think that’s a tough sell. In the end it all comes down to funding. To be succesful Vyatta has to eveolve and as hard as this may be for Open Source, a business model is the foundation for any company. If you don’t have one, then your days are numbered. Remember the ‘dot com‘ bubble in 2000/2001?

What about impact? Hard to predict how things will play out, but for me the immediate impact is I’m holding off on upgrading to 6.3. The Open Source training course I developed uses Vyatta Core and currently my VM’s are running Vyatta 6.2. I was planning an upgrade to 6.3 but have since decided to continue using 6.2 a while longer. Many students comment on the unique and easy Vyatta GUI interface and I don’t want to disappoint. I suspect many will or already have made a similar decision to stick with Vyatta 6.2 in the interim.

Predictions for Vyatta, I think the platform will continue to gain traction in the ‘Cloud‘ business. I see the Vyatta appliance business disappearing as everything moves to software or VM delivery. Who knows we may even see Vyatta swallowed whole by a competitor if it threatens their market share?

In the end putting aside all the Open Source Community politics, I prefer a world with Vyatta then without because I believe its a fantastic product. If that means loosing some functionality so be it.

Protecting yourself while using Public Wi-Fi: $ sudo ufw enable

Sharing Windows files or printers among friends or other hosts on the same Public network. According to Microsoft the following ports should be open for proper SMB, Netbios communication:
$ sudo ufw allow 135/tcp
$ sudo ufw allow 136/tcp
$ sudo ufw allow 137/tcp
$ sudo ufw allow 138/tcp
$ sudo ufw allow 139/tcp
$ sudo ufw allow 135/udp
$ sudo ufw allow 136/udp
$ sudo ufw allow 137/udp
$ sudo ufw allow 138/udp
$ sudo ufw allow 139/udp
$ sudo ufw allow 445/tcp

However I would not recommend opening these ports when connected to Public networks, especially TCP 445 (Admin$ Share). Instead if you and your buddy are connected to the same Public network create a more specific rule, granting your friend full access by specifying their IP address.

Create ufw exception by IP address: $ sudo ufw allow from 192.168.1.1

However at times you may not fully trust your friend, and only want them accessing one specific port: $ sudo ufw allow from 192.168.1.1 to any port 139

The uncomplicated firewall is easy to manipulate. However you must remember, apply restrictive/specific rules before more generic. Don’t forget all rules are applied in a top down fashion. Let me give you an example;

You’ve got a great hack and wish to test it at the local Public Wi-Fi hotspot, however you don’t want your friend falling victim. Given what I said above this can be accomplished with two rules; the first a restrictive followed by a more generic rule. First (deny) your friends IP address blocking them from your hack, and second a more general allow rule granting access from any other host IP.

$ sudo ufw deny from 192.168.1.100 to any port 666
$ sudo ufw allow from 192.168.1.0/24 to any port 666