What’s phising? Wikipedia has a really detailed explanation on this very word, and so I save myself from explaining it too much. To me, phising is a method that hackers use to trick people into entering their sensitive credentials onto a fake website that made to look like a real one, and after the victims being tricked, usually the hackers got what they were after such as a bank password.
Why am I talking about phising? Well, on this post, I’m not trying to talk about phising in general, because there are countless of phising attacks that hackers know and use them. Nonetheless, most phising attacks usually depend on a user’s carelessness from the start, and one example would be an email claimed to be a bank email with a malicious link which led to a fake website made to look like a real bank website.
Even worse, there is a new phising attack that uses Javascript to infect your browser somehow, and then it changes a legit website into a fake website when you’re not looking. As a user opens more than one browser tab, an malicious Javascript automatically changes one of the browser tabs into a malicious website made to look like a real website such as Gmail, and in combination of attacks add on top of this very dirty phising attack, a user can be tricked into giving out his or her sensitive credential.
All phising attacks that hackers use are stuffs of nightmare, and this one is no different. This is why I love to use Firefox with Noscript plugin. This plugin has worked wonder for me as it stops all Javascript from working unless you allow certain portion of website to do so. To end this post with a doubt, I could be very wrong of how this phising attack works its dirty magic, because I’ve got to know this scary phising attack from reading it here. Feel free to correct me on my lack of understanding about this phising attack, and don’t go try this, or else you’ll be in a world of hurt as in being locked up by the FBI or whatever enforcers that would go after hackers.
A New Type of Phishing Attack from Aza Raskin on Vimeo.
Don’t take my words for this, but you need to watch this video to see how dangerous it’s for you to surfing the web, taking care important stuffs such as online banking, and doing all of those urgent things over the wireless connection (safer at home but not hacker proof) through the public Wi-Fi (Internet connection from coffee shops, etc.). Although the technical jargon could throw you into a lala land where everything may seem impossible to understand and so far away, but don’t worry, I’m here to make things a little easier to understand for you (believe me, I had to look some of those technical jargon and concept up many times before).
Here is the deal! Someone at a public spot with an evil intention could own you by redirecting you to whatever websites he/she wants to. This means if you try to visit a bank from a public location using public Internet connection, someone evil could create a fake bank look alike website beforehand, and whenever you request for that specific bank’s IP address (website address, URL), the evildoer could redirect you to the fake bank website. Whatever you type into the fake bank website, the evildoer could then capture anything you type for later perusing.
There are many methods of how an evildoer could go about and setup a trap like this. Here we talk about DHCP exhaustion and then inject the man in the middle attack method to own an Internet traffic. What’s DHCP exhaustion? Basically, it’s a way that an evildoer could request a gateway (router) to give out not one, but many IP addresses to a point that there is no more IP address to give out to the next computer user. Most if not all router could provide DHCP server environment where a router gives out the local IP addresses (192.168.x.x) to the computers; for receiving and having a local IP address from a router (access point, gateway, etc.), a computer is able to access the network and browse the Internet. So why an evildoer wants to max out the local IP addresses that a router (gateway, access point) could give? In doing so the router could not reserve any open spot for a computer user who now wants to log onto the Internet but could not since no local IP address is available to give out. At the same time, the evildoer fires up his own DHCP software/hardware (bad router, bad access point, bad gateway) to intercept your computer’s local network request, and eventually the evildoer allows you to use his/her DHCP server to surf the web — which means the evildoer could redirect you to anywhere on the web he or she wants.
Obviously, to carry out such an attack one requires the necessary tools to do so, but there is no doubt that crackers (hackers – a much popular term but lazy) always equip themselves with evil tools that rock your world. Why using a home network and an office network are safer? It’s because strangers need an access key to access your network, otherwise it’s a no go for strangers who want to hack you. After saying that, it’s not a complete truth and a sincere statement. Why? You know those crackers love to mess with your wireless connection, and trust me they have the tools to break into your network — although not easy, but it’s not impossible. To be even more secure, you could use an Ethernet connection at home, turn off the DHCP server capability in your router, and use only static local IP address. Still, even that, if you’re not careful and not updating your router’s firmware to the latest, a cracker could still exploit the old firmware to find a security hole that he/she could eventually break into your network. Also, don’t ever forget to change the router’s admin user name to something that could not be guess easily, and the password for router’s admin account has to be strong too. Other router’s security extra options that you can make a cracker’s life a little harder by disabling uPnP capability, only allowing known computers’ physical addresses (MAC address) to access the router and Internet, turning on HTTPS web access for admin only, and denying known bad websites that could potentially infect your network with trojans and computer viruses and computer worms.
Check out the technology video which talks about DHCP exhaustion and DNS man in the middle attacks after the break!
Another bad day for Microsoft. The fingers are pointing at China for recent attacks on Google’s network and other major networks, but the attacks were possible because all version of IE(s) were vulnerable to attacks. Microsoft is hard at work in patching up the browsers. Since the patch is not yet readily available for IE(s), German government warns the country’s citizens not to use IE(s) in fear of other hackers may try the same trick. Ain’t we glad we have alternative browsers? Here are few of them that you could try if you wish!
- Firefox
- Opera
- Safari
- Gnome
I know that there are more browsers than the ones that I listed above, but I’m not so sure about those browsers’ security measures. At the very least, Firefox and Opera and Safari and Gnome are browsers that are known for better security than Microsoft’s IE(s). To be fair, it’s a given that Microsoft IE(s) are less secured due to the fact that large portion of people in the world are using IE(s); this allows hackers to target IE(s) more than any other browser. Source.
Another bad day for Twitter? News spread across the Internet that earlier people woke up to Twitter and couldn’t use the website. Instead of anything, people saw Twitter website got defaced by hackers who called themselves “Iranian Cyber Army.” Here is a screenshot that can be found on BusinessInsider as proof. We all know how hard Twitter works in fighting against this type of attacks, but it’s so unfortunate that Twitter is still helpless against hackers. More.
As I had warned my readers in couple past posts about the danger of cloud computing as it has a great potential for hacking from hackers. I wasn’t wrong! A malicious bonet was discovered within Amazon’s EC2 (cloud computing), and if it was not exposed, it could help hackers in stealing countless logins and passwords and account numbers and credit cards and other highly sensitive information such as banking. You could say, it’s a dangerous business for all of us to pool all of our personal and highly confidential information together in one area, because hackers love that. Look at the Internet, it’s basically a focus for everyone to gather for all sources of things, and it’s also a focus for hackers to target — the rule is simple, hackers like to target massive concentration of anything that may lead to some type of monetary rewards. Microsoft’s Windows(s) was and still are the favorite targets over Linux for hackers.
It doesn’t take a genius or a rocket scientist to figure out that the next big thing for hackers is cloud computing. Cloud computing isn’t new, because Gmail has been around for quite a long time (the same with Yahoo’s email), and it’s one form of cloud computing, but Gmail is somewhat more secured than the cloud computing form of Amazon’s EC2, because hackers cannot pretend to be a good guy by uploading malicious system images into the cloud to be used as instances for launching new servers. Further detail of hacking is not clear, unless you’re the hacker that hacked EC2 yourself. Luckily, Amazon says that they had removed the malicious bonet known as Zeus, but how many more of those that aren’t yet discovered? Source.
Within 12 hours, 8 men were able to rob about $9 million from ATMs. Men were caught for their carelessness of not covering up their tracks on card-processing network. Nonetheless, these men were able to bypass the encryption that the ATMs used, and so they were able to cash out millions of dollars. 8 men could face heavy fine and a heck a lot of time in prison. Source.
Ubuntu’s default setting should be secure, but if you are paranoid about your system security, you can fine-tune your Ubuntu even more. In this post, I will show you how to improve your Ubuntu’s security by adding extra software and modify some Ubuntu’s default settings. Let get started!
It’s important to stop and permanently deactivate the services that you do not need. On Ubuntu 9.10, you need to install Boot Up Manager before you can deactivate running services. In terminal (shell), you need to type command [sudo aptitude install bum], but if you type [sudo -i] before the previous command, then you need to leave out [sudo] from the previous command, because sudo -i allows you to become root. Next you need to go to System > Administration > BootUp-Manager, pick the services that you do not need and deactivate those. To deactivate the services that you do not need, you need to remove the check marks that are next to the running services. For me, I prefer to deactivate:
- Tool to report program crashes (apport)
- Scanner services (saned)
- Fast remote file copy program (rsync)
- Discover services and hosts on a local network (avahi-daemon)
- Runs system housekeeping chores on specified dates/times (cron)
- Manages print jobs (cups)
- Common interface to speech synthesizers (speech-dispatcher)
- Enables scheduling of jobs (atd)
There are some services that you cannot deactivate, because those are essential to your system stability. This is why you must know which service does what before you decide to deactivate or activate a service. It’s simple really, the less services that you are running on your system, the better it’s in term of security. Why? Some services may or may not open extra software ports, and the more open-ports your computer has, the more ways for hackers to sneak into your system.
Sometimes, you want to run a service locally, but you know that a service you want to run will open a port. You fear that an open-port will lead to insecurity, and so you want to do something about this. This is easy! You need a firewall, really! On Ubuntu, go to Application > Accessories > Terminal, type sudo -i, and type aptitude install guarddog. If you type this command line into a terminal as root or as a sudo user, Aptitude will install guarddog firewall onto your Ubuntu system. Now you need to open up guarddog and configure it. To do this, in terminal, as root or sudo user, type guarddog. Guarddog’s interface will launch, and you’ll see tabs such as Zone, Protocol, Logging, Advanced, Port Reference. You can ignore the zone tab, but you need to click on Protocol tab. On Protocol’s screen, you see Defined Network Zones (Internet, Local), please highlight the Internet zone. On the right of the screen of Protocol tab, you see Network Protocol, and here is where you need to check certain services — to allow Internet and other services to run correctly. By default, Guarddog will not allow any incoming traffic or outgoing traffic to access your system, and this is why you need to allow some services under network protocol of Protocol tab (Internet zone). To allow Internet, you need to allow DNS (Network), and HTTPS(File Transfer) and HTTP(File Transfer). To allow SSH, you need to allow SSH(Interactive Session). You can mess around with other settings within Guarddog when you get a hang of it. Click apply and click OK to activate your Guarddog Firewall.
As root (sudo -i) or a sudo user, you can edit /etc/fstab to set a stricter setting for shared memory. How? Type this into the terminal, vim.tiny /etc/fstab/, type letter i on your keyboard to enter edit mode, go to the very bottom of the file, copy and paste tmpfs /dev/shm tmpfs defaults,ro 0 0, type Esc on your keyboard to exit edit mode, type a colon “:” without the double quotes, type wq, and hit enter to save and exit the file.
Edit /etc/sysctl.conf to stop some spoofing attacks and enhance other security measures. By remove the hash sign # in front of certain command lines within this file, you’ve activated the security functions provided by these command lines within /etc/sysctl.conf. So let remove the hash sign in front of,
- net.ipv4.conf.default.rp_filter=1
- net.ipv4.conf.all.rp_filter=1
- net.ipv4.tcp_syncookies=1
- net.ipv4.icmp_echo_ignore_broadcasts = 1
- net.ipv4.icmp_ignore_bogus_error_responses = 1
- net.ipv4.conf.all.accept_redirects = 0
- net.ipv6.conf.all.accept_redirects = 0
- net.ipv4.conf.all.send_redirects = 0
- net.ipv4.conf.all.accept_source_route = 0
- net.ipv6.conf.all.accept_source_route = 0
Save the /etc/sysctl.conf file, and then type in terminal as root with sysctl -p to activate the kernel settings that you have modified.
As root or a sudo user, type aptitude install clamav to install an anti-virus software. To scan a directory for a virus, just do clamscan -r -i [insert-directory-name-here-and-do-not-copy-the-bracket-signs]. To scan a single file for a virus, in a terminal, just do clamscan -i [insert-file-name-here-without-the-bracket-signs]. To update the virus signature database, as root or a sudo user, in a terminal, do freshclam.
By default, Ubuntu has Apparmor installed. Still, you can enhance this setting even more. In terminal, as root or a sudo user, type aptitude install apparmor-profiles. This will add more readily set profiles for your Apparmor to protect zero day attacks from hackers.
In terminal, as root or a sudo user, type aptitude install chkrootkit rkhunter. Chkrootkit and Rkhunter are both rootkit detection scripts. These scripts will alert you about known rootkits inside your system if there is any. Rootkits are the stuffs that you want to get rid off of your system, because these are the doors for hackers to sneak in. You have to run Chkrootkit and Rkhunter manually or as cron jobs to get the rootkit alerts. Let do these manually! For Rkhunter, as root or sudo user, to update the script you need to type in terminal rkhunter –update, and to run rkhunter you need to type in terminal (as root or sudo user) rkhunter -c. For Chkrootkit, as root or sudo user, you only need to type chkrootkit in terminal.
Let remove telnet completely off of your system. Telnet is a very insecure program that allow users to remotely communicate with your system in clear text. To do this, in terminal and as root or sudo user, type aptitude remove telnet.
Additional security software you may want are tiger, lsat, harden, harden-environment, bastille, harden-nids, harden-tools, harden-clients, harden-servers, rats, wipe, and nmap. You can use Aptitude or Synaptic to install these software.
Let make sure you have only the port you need to be opened and nothing else! To check for the open-ports, you can use nmap for this. In terminal and as root or sudo user, type ifconfig to see your eth0 or wlan0 inet addr:192.168.X.X, and use nmap to check on that inet addr IP. Let assume your inet addr is 192.168.0.1, you can type this in terminal as root or sudo user, nmap -sTU 192.168.0.1. If you see an open-port that you do not know about or think it’s not a necessary port, then you can try to deactivate the service that is open such a port, or configure your firewall to block such a port.
I bet there are other security measures that I may have missed, but you can always let me know by commenting under this post.
Update (on November 26th 2009): There is another security measure that I forgot to tell you. It’s about the integrity of your system. To make sure that when someone has modified a file on your Ubuntu system for either good or evil purpose, you could figure out which file got changed; in case a modified file looks suspicious, you may have to put some extra effort in figuring out if your system was modified for malicious purpose or else. You can use fcheck to do this. To install this, go to a terminal as root or sudo user (i.e., sudo -i or sudo [command enter here]) and type in aptitude install fcheck. After installing fcheck, you need to run command fcheck -cadsx to make sure fcheck knows all files that are on your system. In case you don’t know what -cadsx means, you can type in a command man fcheck to see the meaning of each fcheck’s flag. After running fcheck -cadsx, you can run fcheck -adsx to confirm that fcheck is actually working and reporting on your system’s files’ integrity. Just remember that whenever you boot up your system next time, you need to run fcheck -adsx first to see if any file has integrity problem or not. Registering all files with fcheck again by running fcheck -cadsx whenever you updating your Ubuntu system or installing a new software (package).
Update (on Dec 7th 2009): I also found out that sometimes it’s best to be super paranoid. So here is another way to tighten up your Ubuntu 9.10 even more (this work with other Linux and previous Ubuntu versions) by disabling shells for unused accounts and active/inactive services. To do just that, you need to go to a shell (terminal), type in [sudo -i] to become root, and then use either nano or vim.tiny to edit /etc/passwd. In /etc/password, you can disable all shells except user accounts that you are using to login into your Ubuntu 9.10 system. To disable shells for accounts, remove the last part that looks like bash or sh, and replace them with false. Example, whatever:x:x:x:x:/x:/bin/false is correct (insecure setting would be whatever:x:x:x:x:/x:/bin/bash). You can also lock all accounts in /etc/shadow by doing [passwd -l] (example, passwd -l username), but there is an exception — do not lock an account that you want to login to your system with.
Recent Comments