>Ramblings: Lack Of IT Security Professionals, University Courses and Unqualified Penetration Testers « Adam On Security:

>Today I want to talk to you about my reasoning why the Security Industry is desperate for staff, and explain a little bit about my self as I’m trying to break into the security industry as a network penetration tester, I also have a solid dig at universities, and i’m probably going to offend a lot of people with this, but it needs to be said and this is what freedom of speech is all about.

The State Of The Industry

The UK IT Security Industry is reported to be about 50,000 people short, why is this? In my opinion it’s because there is no where for security professionals to practice legitimate hacking techniques outside of spending thousands on various different systems and building networks. This results in there being a large amount of Security staff that don’t know how to think like an attacker and a business wondering why their network keeps getting broken into. This in turn creates fear and a greater demand for more security staff creating a vacuum

The Blame Game

I personally blame the state of security education for this shortage. In short you can’t teach someone how to hack and how to audit networks without them at some point auditing a real, secure servers in the wild. Even if you could create an environment to train security staff in attack methods, it would no way be as diverse as the array of internet connected business that they will be presented with in the field. The person in training could only ever leave education with a very narrow skill set based on the budget size of the institute where they learnt.

Universities – The Root Of All Evil?

So what happens is Universities pump out thousands of ‘security’ students that don’t know anything about the real security practices or attack methods they will be expected to defend against. I have done my security degree for 2 years now, and I can tell you, I haven’t learn a thing about security that I didn’t know before I went or that i have learnt in my spare time, and that’s not an exaggeration.

Universities in the UK work at the speed of the worst student on the course, so all security students get is repetitious explanations of the basics of computing causing long drawn out tutorials that leave no time for more in depth security concepts.

If your a prospective security student reading this you might think that you’ll be challenged with all this useful information that is relevant to your career. Instead all you get for your £9000 a year is watered down and censored horse sh*t. The closest I have come to real security talk is chatting to lecturers outside of lessons because they’re not under pressure of talking about “taboo” subjects.

To be blunt universities just don’t have the time or balls to teach security students REAL security that they can actually use in the field, they can’t talk about things like buffer overflows in detail, they can’t step by step explain concepts like SQL injection. This is for two reasons, firstly its like giving students a loaded shotgun, they can’t control what you do with that information, and they don’t want to be liable. Secondly they don’t want it to go over anyone’s heads, god forbid a student might actually have to do some extra reading at home to understand something, even worse god forbid a student actually fail! So instead students come out with a piece of paper that says they are qualified to work in IT Security when in fact they have been taught very little about it, instead we have been repetitively spoon fed the basics of computing with a light glance at how one might approach the topic of security, because its less likely to cause a fuss and to go over students heads.

These students then hit the field knowing very little about real security, and it falls to business owners to spend time and money training them from the ground up, or they simply get jobs securing business without a clue about what there doing from an attackers perspective. So what did we just spend 9000 a year on?

Here is what you get for your 9000 a year on a security course each week in the UK

3 Hours of Cisco – Cisco fund a large portion of my University so we don’t have a free choice like other courses and are forced to spend 3 years learning a qualification that expires in 3 years (CCNA), oh and did I mention we have to pay them to actually take the certification test ontop of our fees and the end of the 3 years?

1.5 Hours of business studies – Group work making a marketing plan for a product I will never make that isn’t really anything to do with my course.

3 Hours of Open systems (linux technologies) quite interesting but I have used linux for 3 years and the things explained are basic even5 months into the module, 90% talking about licensing, 10% actually using linux.

3 Hours of watered down and heavily censored security, for example one way hashing, key exchanges, file systems.

2.5 Hours of Visual Basic programming RFID tags because the Uni is backed by Micro$oft so we have no choice about learning anything other than VB.Net .

(This also assumes the lecturers show up and your lecturer knows what he is talking about. Which isn’t always the case)

Now does that sound like someone you want to hire for a network penetration tester position? How about if I told you that these people are being hired to secure databases with your credit card details in ? Scared now – you should be.

Me as a Hacker

I don’t hesitate to say I have dabbled in the less legal sides of hacking and security, but ONLY to learn and explore. I don’t think you can work in security unless you have done at some point, if you haven’t, how do you know if the things you have read about actually work? You haven’t practiced anything to do with real auditing, you have just read the books. If you are working in penetration testing and have never dabbled, then at some point your company hired you for a job you were unequipped to do, and it probably cost them more to train you than if they hired someone with a greater skill set.

The Interview

I’ll put this to you, If I turned up to a job interview for a penetration tester ‘year in industry’ tomorrow and there was an equally qualified person applying at the same time for the same position. The person standing next to me has the same degree and the same qualifications, but he has never looked into hacking because he never had the equipment or outlet to practice the skills he could only read about in his spare time.

Then there is me who could root a corporate file server in minutes, social engineer my way through you’re companies head quarters with a smile on my face and read your CEO’s emails from the coffee shop across the road. Does the interviewer ask me where I learnt these things? Would he even ask if i possessed them as a skill? Or does he look at the piece of paper in front of him and go by the fact that Joe Blogs next to me gets the job because his suit is shinier and he can talk the talk? Then 6 months later the company wonders why they are struggling to explain simple port scanning and network mapping to Joe Blogs and wonders why there is no good quality security staff to be had.

If Kevin Mitnick showed up at your door asking for a job at your network security company, would you turn him down because the origin of his skills is a little dubious? Of course you wouldn’t, he is one of the greatest minds in the security (in my opinion) and he doesn’t have an LPT or a CEH and his degree is a little out dated, but he has the skills and the mind set.

Security is an industry where you can’t just recruit someone because of the papers they hold, anyone can revise and memorize information to pass a course, you need to put the skills they say they have to the test. I’d kill to show up to an interview and the company have an easily compromisable server running in the room to test their applicants. I bet half of the applicants wouldn’t know where to start, despite there Security Degree and CCNA emblazoned all over their CV.

Here Is My Challenge

I have learnt all my skill security/penetration skill base on my own, I’m doing my degree because I do need the piece of paper for Penetration Testing firms to even look twice at my CV.

If there is one thing I can tell you, and I tell people time and time again is this: I eat sleep and breath this, I don’t stop, Computer Security isn’t just a career for me, its a way of life (avoiding cliches). That’s not something I can get across on 2 sides of A4 and not something anyone can get with a 3 year course and a light dusting of certifications.

I challenge any UK Penetration Testing Firm or (companies that need an in house penetration tester), If you call me in for an interview for a year in industry placement (September 2011 – 2012), give me 30 minutes of your time with a my laptop, I will show you more penetration testing related skill than any applicant you have seen, and that is a promise. My email is adam@adamonsecurity.com if you want to take me up on that.

Happy Hacking

>Seguraça extrema com LIDS

>Autor: Anderson L Tamborim
Data: 21/02/2004

Introdução ao LIDS

1.0 – O que é o LIDS?

LIDS é um patch de melhorias para a kernel do Linux escrita por Xie Huagang e Philippe Biondi. Este patch adiciona esquemas de segurança extrema ao kernel e que não são possíveis apenas com as funções nativas da kernel.

Entre algumas destas funções temos:

Mandatory Access Controls (MACs)
Detecção de Port Scanners
Proteção de acesso a arquivos e pastas (incluindo pelo root)
Proteção de processos, módulos e interfaces.

1.1 – Porque utilizar o LIDS?

LIDS é um conjunto indispensável de ferramentas que vem sofrendo muitas melhorias nos últimos anos e me arrisco a dizer que ele está no auge do seu potencial com a versão 2.4.24 e 2.6 do kernel do Linux.

As ferramentas que acompanham o LIDS são muito fáceis de utilizar e configurar. Quem trabalha com segurança e deseja alcançar um nível superior de segurança dentro do seu sistema NECESSITA conhecer LIDS.

O LIDS, como vocês verão, não é uma ferramenta para se utilizar em micros de usuários devido a robustez de sua configuração, o que causaria uma série de problemas que o tornam de certa forma inviável, sendo que também temos ótimas ferramentas de IDS para Linux que usuários podem utilizar, como Snort, Portsentry, entre outras.

Com o LIDS podemos restringir qualquer acesso ao nosso sistema e ele nos manterá totalmente informado de tudo que esta havendo no sistema, qualquer tentativa de burlar sistemas protegidos pelo LIDS é documentada em emails e nos logs.

1.2 – Onde posso conseguir o LIDS?

Bom, o LIDS é uma atualização FREE para a kernel. Pode ser encontrada em http://www.lids.org e também nesta lista de mirrors: http://www.lids.org/mirrors.html.

1.3 – Direitos e Copyright

This software is copyright(c) 2000, 2001, 2002 for Steve Bremer – 2002, 2003 for Sander Klein and it is a FREE document. You may redistribute it under the terms of the GNU General Public License. The information herein this document is, to the best of Sander’s knowledge, correct. However, LIDS and the LIDS-FAQ is written by humans and thus, the chance of mistakes, bugs, etc. might occur from time to time. No person, group, or other body is responsible for any damage on your computer(s) and any other losses by using the information on this document. i.e. “THE AUTHORS AND ALL MAINTAINERS ARE NOT RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THE INFORMATION IN THIS DOCUMENT.”

Instalando o LIDS

2.1 – Como aplicar o patch do LIDS ao meu kernel?

A primeira coisa que devemos fazer é entrar em http://www.lids.org e baixar a versão de LIDS que corresponde ao kernel que iremos compilar, recomendo o kernel 2.4.24.

Se você não possui a versão deste kernel, poderá baixa-lo em http://www.kernel.org. Não entrarei em detalhes de como recompilar o kernel, se caso você que esteja lendo não possui tal habilidade, procure documentação antes de prosseguir.

Vamos descompactar o arquivo:

$ tar -zxvf lids-lids_version-kernel_version.tar.gz

Agora vamos entrar na pasta do nosso kernel:

$ cd /usr/src/linux

Agora aplicar o patch:

# patch -p1
[*] Networking support
[*] PCI support
(Any) PCI access mode
[*] PCI quirks
[ ] PCI bridge optimization (experimental)
[*] Backward-compatible /proc/pci
[ ] MCA support
[ ] SGI Visual Workstation support
[*] System V IPC
[ ] BSD Process Accounting
[*] Sysctl support
Kernel support for a.out binaries
Kernel support for ELF binaries
Kernel support for MISC binaries
Kernel support for JAVA binaries (obsolete)
Parallel port support
[ ] Advanced Power Management BIOS support

Networking options —> *(Personalize de acordo com suas
necessidades)
Packet socket
[*] Kernel/User netlink socket
[*] Routing messages
Netlink device emulation
[*] Network firewalls
[ ] Socket Filtering
Unix domain sockets
[*] TCP/IP networking
[ ] IP: multicasting
[*] IP: advanced router
[ ] IP: policy routing
[*] IP: equal cost multipath
[ ] IP: use TOS value as routing key
[*] IP: verbose route monitoring
[*] IP: large routing tables
[ ] IP: kernel level autoconfiguration
[*] IP: firewalling
[*] IP: firewall packet netlink device
[ ] IP: transparent proxy support
[*] IP: masquerading
— Protocol-specific masquerading support will be built as
modules.
[*] IP: ICMP masquerading
— Protocol-specific masquerading support will be built as
modules.
[*] IP: masquerading special modules support
IP: ipautofw masq support (EXPERIMENTAL)
IP: ipportfw masq support (EXPERIMENTAL)
IP: ip fwmark masq-forwarding support (EXPERIMENTAL)
[*] IP: optimize as router not host
IP: tunneling
IP: GRE tunnels over IP
[*] IP: aliasing support
[ ] IP: ARP daemon support (EXPERIMENTAL)
[*] IP: TCP syncookie support (not enabled per default)
— (it is safe to leave these untouched)
IP: Reverse ARP
[*] IP: Allow large windows (not recommended if <16Mb of memory) The IPv6 protocol (EXPERIMENTAL)

opções do lids no kernel –>
Linux Intrusion Detection System —>
[*] Linux Intrusion Detection System support (EXPERIMENTAL)
— LIDS features
(1024) Maximum protected objects to manage
(1024) Maximum ACL subjects to manage
(1024) Maximum ACL objects to manage
(1024) Maximum protected proceeds
[ ] Hang up console when raising a securit alert
[ ] Security alert when execing unprotected programs before
sealing LIDS
[*] Try not to flood logs
(60)Authorised time between two identic logs (seconds)
[*] Allow switching LIDS protections
(3)Number of attempts to submit password
(3) Time to wait after a fail (seconds)
[ ] Allow remote users to switch LIDS protections
[ ] Allow any program to switch LIDS protections
[*] Allow reloading config. File
[*] Port Scanner Detector in kernel
[*] Send security alerts through network
[ ] Hide klids kernel thread
(3) Number of connection tries before giving up
(30)Sleep time after a failed connection
(16)Message queue size

Muito bem, agora recompile seu kernel normalmente como sempre faz. Adicione a imagem no seu gerenciador de inicialização e tudo mais. Pronto, seu kernel tem suporte ao LIDS.

2.2 – Instalando Lidsadm & Lidsconf

Entre na pasta onde você descompactou o LIDS:

$ tar -zvxf lidstools-version.tar.gz
$ cd lidstools-version
$ ./configure
$ make
$ su –
# make install

Junto ao LIDS, a versão que vem do lidstools já é antiga, puxe a versão 0.5.1 na página do LIDS e compile ela.

Muito bem, depois que terminar de compilar ele vai pedir uma senha, coloque uma que se lembre depois, porque ela será muito importante.

Depois que você instalar poderá ver se está tudo rodando perfeitamente:

$ lidsadm -v

Ele retornará a versão do lidsadm.

Bom… Primeira DICA: não reinicie seu sistema ainda ou então ele estará totalmente bloqueado. Recomendo-lhe limpar todas as funções do LIDS antes de reiniciar.

Se você olhar em /etc/lids/, teremos 2 arquivos:

Lids.cap -> Arquivo com as funções de capabilities
Lids.conf -> com as Entradas de configuração que editaremos

São os principais que usaremos.

Conhecendo o LIDS

3.1 – /sbin/lidsadm & /sbin/lidsconf

O lidsadm é um software que usaremos para administrar nosso LIDS. Vamos dar uma analisada básica nele:

# lidsadm -h

lidsadm version 0.4.1 for LIDS project
Huagang Xie
Philippe Biondi

Usage: lidsadm -[S|I] — [+|-][LIDS_FLAG] […]
lidsadm -V
lidsadm -h

Commands:
-S To submit a password to switch some protections
-I To switch some protections without submitting
password (sealing time)
-V To view current LIDS state (caps/flags)
-v To show the version
-h To list this help

Available capabilities:
CAP_CHOWN chown(2)/chgrp(2)
CAP_DAC_OVERRIDE DAC access
CAP_DAC_READ_SEARCH DAC read
CAP_FOWNER owner ID not equal user ID
CAP_FSETID effective user ID not equal owner ID
CAP_KILL real/effective ID not equal process ID
CAP_SETGID set*gid(2)
CAP_SETUID set*uid(2)
CAP_SETPCAP transfer capability
CAP_LINUX_IMMUTABLE immutable and append file attributes
CAP_NET_BIND_SERVICE binding to ports below 1024
CAP_NET_BROADCAST broadcasting/listening to multicast
CAP_NET_ADMIN interface/firewall/routing changes
CAP_NET_RAW raw sockets
CAP_IPC_LOCK locking of shared memory segments
CAP_IPC_OWNER IPC ownership checks
CAP_SYS_MODULE insertion and removal of kernel modules
CAP_SYS_RAWIO ioperm(2)/iopl(2) access
CAP_SYS_CHROOT chroot(2)
CAP_SYS_PTRACE ptrace(2)
CAP_SYS_PACCT configuration of process accounting
CAP_SYS_ADMIN tons of admin stuff
CAP_SYS_BOOT reboot(2)
CAP_SYS_NICE nice(2)
CAP_SYS_RESOURCE setting resource limits
CAP_SYS_TIME setting system time
CAP_SYS_TTY_CONFIG tty configuration
CAP_MKNOD mknod operation
CAP_LEASE taking leases on files
CAP_HIDDEN hidden process
CAP_KILL_PROTECTED kill protected programs
CAP_PROTECTED Protect the process from signals

Available flags:
LIDS de-/activate LIDS locally (the shell & childs)
LIDS_GLOBAL de-/activate LIDS entirely
RELOAD_CONF reload config. file and inode/dev of
protected programs

Temos a lista de todos os “capabilities”.

Com o lidsconf faremos as configurações do LIDS no nosso sistema, ou seja, o que iremos bloquear e o que iremos liberar. O lidsconf na sua instalação gera uma configuração padrão que podemos analizar assim:

# lidsconf -h

lidsconf version 0.4.1 for the LIDS project
Huagang Xie
Philippe Biondi

Usage: lidsconf -A [-s subject] -o object [-d] [-t from-to]
[-i level] -j ACTION
lidsconf -D [-s file] [-o file]
lidsconf -Z
lidsconf -U
lidsconf -L [-e]
lidsconf -P
lidsconf -v
lidsconf -[h|H]

Commands:
-A,–add To add an entry
-D,–delete To delete an entry
-Z,–zero To delete all entries
-U,–update To update dev/inode numbers
-L,–list To list all entries
-P,–passwd To encrypt a password with RipeMD-160
-v,–version To show the version
-h,–help To list this help
-H,–morehelp To list this help with CAP/SOCKET name

subject: -s,–subject subj
can be any program, must be a file
object: -o,–object [obj]
can be a file, directory or Capability, Socket Name
ACTION: -j,–jump
DENY deny access
READONLY read only
APPEND append only
WRITE writable
GRANT grant capability to subject
IGNORE ignore any permissions set on this object
DISABLE disable some extersion feature
OPTION:
-d,–domain The object is an EXEC Domain
-i,–inheritance Inheritance level
-t,–time Time dependency
-e,–extended Extended list

Os comandos principais que usaremos serão:

lidsconf -L: lista as configurações atuais.
lidsconf -Z: zera as configurações.
lidsconf -U: Atualiza as configurações, sempre deve-se atualizar quando se acrescenta uma nova regra.

Como posso setar uma nova password:

# lidsconf -P
MAKE PASSWD
enter new password:
reenter new password:
wrote password to /etc/lids/lids.pw

A senha ficará escrita nesse arquivo com criptografia de 185 bits.

3.2 – Como dizer ao LIDS para recarregar minha configuração?

Bom, para que isso ocorra você deve ter selecionado esses esquemas no seu menuconfig:

[*] Allow switching LIDS protections
(3) Number of attempts to submit password
(30) Time to wait after a fail (seconds)
[ ] Allow remote users to switch LIDS protections
[ ] Allow any program to switch LIDS protections
[*] Allow reloading config. file <———–

# lidsadm -S — +RELOAD_CONF

Isso irá recarregar o seu LIDS com as novas configurações sem precisar reiniciar o kernel.

3.3 – Socorro meu sistema esta totalmente bloqueado

Bom, se isso acontecer você deverá bootar seu linux pelo kernel antigo (sem LIDS) e retirar todos os atributos de configurações existentes para deixar tudo zerado:

# /sbin/lidsconf -Z
# /sbin/lidsconf -U

Porque rebootar por outro kernel?
Por que provavelmente você não conseguirá acessar as configurações do LIDS pelo kernel rodando ele. Ele estará bloqueado por padrão.

3.4 – Sem rebootar a máquina como posso desabilitar o LIDS?

Para conseguir essa façanha, utilize este comando:

# lidsadm -S — -LIDS_GLOBAL

Agora você terá o LIDS desabilitado e seu sistema estará totalmente desprotegido por ele, caso queira ligá-lo novamente utilize:

# lidsadm -S — +LIDS_GLOBAL

3.4 – Como ver o status do meu LIDS?

O comando abaixo nos trará uma saída com as funções que estão em uso pelo kernel:

# lidsadm -V

VIEW
CAP_CHOWN 0
CAP_DAC_OVERRIDE 0
CAP_DAC_READ_SEARCH 0
CAP_FOWNER 0
CAP_FSETID 0
CAP_KILL 0
CAP_SETGID 0
CAP_SETUID 0
CAP_SETPCAP 0
CAP_LINUX_IMMUTABLE 0
CAP_NET_BIND_SERVICE 0
CAP_NET_BROADCAST 0
CAP_NET_ADMIN 0
CAP_NET_RAW 0
CAP_IPC_LOCK 0
CAP_IPC_OWNER 0
CAP_SYS_MODULE 0
CAP_SYS_RAWIO 0
CAP_SYS_CHROOT 0
CAP_SYS_PTRACE 0
CAP_SYS_PACCT 0
CAP_SYS_ADMIN 0
CAP_SYS_BOOT 1
CAP_SYS_NICE 0
CAP_SYS_RESOURCE 1
CAP_SYS_TIME 0
CAP_SYS_TTY_CONFIG 0
CAP_MKNOD 0
CAP_LEASE 0
CAP_HIDDEN 1
CAP_KILL_PROTECTED 0
CAP_PROTECTED 0
LIDS 0
LIDS_GLOBAL 1
RELOAD_CONF 0

Configurando o LIDS

4.1 – Protegendo um arquivo/pasta como “somente leitura”

Essa configuração não irá permitir que nenhum usuário consiga escrever nos arquivos protegidos. Essa atitude é muito útil em caso de arquivos binários como o /bin/login, /bin/su para evitar o trabalho de rootkits.

Devemos frisar que quando digo nenhum usuário, me refiro a nenhum mesmo, nem mesmo o root. Portanto cuidado com os arquivos que irá proteger.

# lidsconf -A -o /path/to/file -j READONLY

Isso será necessário para proteger o arquivo como somente leitura. Se quisermos proteger uma pasta toda, basta colocarmos a pasta que queremos:

# lidsconf -A -o /pasta -j READONLY

E todas subpastas e arquivos de dentro estarão protegidos.

4.2 – Protegendo um arquivo/pasta tornando-o oculto e inacessível por usuários

Essa configuração tornará o arquivo protegido como invisível e inacessível para os usuários e para o sistema. Assim ele se tornará quase que algo não existente.

Raramente usaremos esses parâmetros sozinhos e sim em conjuntos para obter um controle em que softwares poderão escrever em determinados arquivos e tudo mais.

# lidsconf -A -o /path/file -j DENY

Com isso o arquivo ficará totalmente inacessível.

Isso e muito útil quando temos um servidor em que não se adiciona usuários, daí faremos o seguinte esquema para proteger o /etc/shadow:

# lidsconf -A -o /etc/shadow -j DENY
# lidsconf -A -o /bin/login -j READONLY
# lidsconf -A -s /bin/login -j READONLY

Isso faria com que nós conseguíssemos logar no sistema, mesmo o /etc/shadow estando totalmente inacessível ao sistema. Somente o /bin/login interage com ele.

4.3 – Como proteger meus arquivos de logs?

Bom, com certeza que arquivos de logs são os alvos mais previsíveis durante uma invasão, todo usuário iria querer sumir com suas entradas de dentro deles. Portanto, protegendo os logs como APPEND eles podem apenas ser adicionados, nunca apagados.

# lidsconf -A -o /var/log -j APPEND

Assim o invasor mesmo com root no sistema não conseguiria eliminar seus vestígios no sistema.

Bom, isso é o básico que todos devem saber sobre o LIDS. Vou passar agora umas regras básicas de proteção para o sistema, como por exemplo, proteger determinador daemons.

Configurações básicas para o sistema

Configuração de proteção para o Sistema:

# Protect System Binaries
#
/sbin/lidsconf -A -o /sbin -j READONLY
/sbin/lidsconf -A -o /bin -j READONLY

# Protect all of /usr and /usr/local
# (This assumes /usr/local is on a separate file system).
#
/sbin/lidsconf -A -o /usr -j READONLY
/sbin/lidsconf -A -o /usr/local -j READONLY

# Protect the System Libraries
#(/usr/lib is protected above since /usr/lib generally isn’t
# on a separate file system than /usr)
#
/sbin/lidsconf -A -o /lib -j READONLY

# Protect /opt
#
/sbin/lidsconf -A -o /opt -j READONLY

# Protect System Configuration files
#
/sbin/lidsconf -A -o /etc -j READONLY
/sbin/lidsconf -A -o /usr/local/etc -j READONLY
/sbin/lidsconf -A -o /etc/shadow -j DENY
/sbin/lidsconf -A -o /etc/lilo.conf -j DENY

# Enable system authentication
#
/sbin/lidsconf -A -s /bin/login -o /etc/shadow -j READONLY
/sbin/lidsconf -A -s /usr/bin/vlock -o /etc/shadow -j READONLY
/sbin/lidsconf -A -s /bin/su -o /etc/shadow -j READONLY
/sbin/lidsconf -A -s /bin/su -o CAP_SETUID -j GRANT
/sbin/lidsconf -A -s /bin/su -o CAP_SETGID -j GRANT

# Protect the boot partition
#
/sbin/lidsconf -A -o /boot -j READONLY

# Protect root’s home dir, but allow bash history
#
/sbin/lidsconf -A -o /root -j READONLY
/sbin/lidsconf -A -s /bin/bash -o /root/.bash_history -j WRITE

# Protect system logs
#
/sbin/lidsconf -A -o /var/log -j APPEND
/sbin/lidsconf -A -s /bin/login -o /var/log/wtmp -j WRITE
/sbin/lidsconf -A -s /bin/login -o /var/log/lastlog -j WRITE
/sbin/lidsconf -A -s /sbin/init -o /var/log/wtmp -j WRITE
/sbin/lidsconf -A -s /sbin/init -o /var/log/lastlog -j WRITE
/sbin/lidsconf -A -s /sbin/halt -o /var/log/wtmp -j WRITE
/sbin/lidsconf -A -s /sbin/halt -o /var/log/lastlog -j WRITE
/sbin/lidsconf -A -s /etc/rc.d/rc.sysinit -o /var/log/wtmp -i 1 -j WRITE
/sbin/lidsconf -A -s /etc/rc.d/rc.sysinit -o /var/log/lastlog -i 1 -j WRITE

# Startup
#
/sbin/lidsconf -A -s /sbin/hwclock -o /etc/adjtime -j WRITE

# Shutdown
#
/sbin/lidsconf -A -s /sbin/init -o CAP_INIT_KILL -j GRANT
/sbin/lidsconf -A -s /sbin/init -o CAP_KILL -j GRANT

# Give the following init script the proper privileges to kill
# processes and unmount the file systems. However, anyone who can
# execute these scripts by themselves can effectively kill your
# processes. It’s better than the alternative, however.
#
# Any ideas on how to get around this are welcome!
#
/sbin/lidsconf -A -s /etc/rc.d/init.d/halt -o CAP_INIT_KILL -i 1 -j GRANT
/sbin/lidsconf -A -s /etc/rc.d/init.d/halt -o CAP_KILL -i 1 -j GRANT
/sbin/lidsconf -A -s /etc/rc.d/init.d/halt -o CAP_NET_ADMIN -i 1 -j GRANT
/sbin/lidsconf -A -s /etc/rc.d/init.d/halt -o CAP_SYS_ADMIN -i 1 -j GRANT

# Other
#
/sbin/lidsconf -A -s /sbin/update -o CAP_SYS_ADMIN -j GRANT

Segurança para Apache:

/sbin/lidsconf -A -s /usr/local/apache/bin/httpd -o CAP_SETUID -j GRANT
/sbin/lidsconf -A -s /usr/local/apache/bin/httpd -o CAP_SETGID -j GRANT

# Config files
/sbin/lidsconf -A -o /etc/httpd -j DENY
/sbin/lidsconf -A -s /usr/local/apache/bin/httpd -o /etc/httpd -j READONLY

# Server Root
/sbin/lidsconf -A -o /usr/local/apache -j DENY
/sbin/lidsconf -A -s /usr/local/apache/bin/httpd -o /usr/local/apache -j READONLY

# Log Files
/sbin/lidsconf -A -o /var/log/httpd -j DENY
/sbin/lidsconf -A -s /usr/local/apache/bin/httpd -o /var/log/httpd -j APPEND
/sbin/lidsconf -A -s /usr/local/apache/bin/httpd -o /usr/local/apache/logs -j WRITE

Segurança para MySQL:

/sbin/lidsconf -A -o /usr/local/mysql/var -j APPEND
/sbin/lidsconf -A -o /usr/local/mysql -j DENY
/sbin/lidsconf -A -s /usr/local/mysql/libexec/mysqld -o /usr/local/mysql -j READONLY
/sbin/lidsconf -A -s /usr/local/mysql/libexec/mysqld -o /usr/local/mysql/var -j WRITE

Segurança para Snort:

/sbin/lidsconf -A -s /usr/sbin/snort -o CAP_DAC_OVERRIDE -j GRANT
/sbin/lidsconf -A -s /usr/sbin/snort -o CAP_NET_RAW -j GRANT
/sbin/lidsconf -A -s /usr/sbin/snort -o CAP_HIDDEN -j GRANT
/sbin/lidsconf -A -s /usr/sbin/snort -o CAP_SETUID -j GRANT
/sbin/lidsconf -A -s /usr/sbin/snort -o CAP_SETGID -j GRANT

Segurança para Postfix:

/sbin/lidsconf -A -o /etc/postfix -j DENY
/sbin/lidsconf -A -o /var/spool/postfix -j DENY
/sbin/lidsconf -A -s /etc/init.d/postfix -o /etc/postfix -j READONLY -i 1
/sbin/lidsconf -A -s /etc/init.d/postfix -o /var/spool/postfix -j WRITE -i 1
/sbin/lidsconf -A -s /usr/sbin/postfix -o /etc/postfix -j READONLY -i 4
/sbin/lidsconf -A -s /usr/sbin/postfix -o /var/spool/postfix -j WRITE -i 4

/sbin/lidsconf -A -s /usr/lib/postfix/master -o CAP_SETGID -j GRANT -i 1
/sbin/lidsconf -A -s /usr/lib/postfix/master -o CAP_SETUID -j GRANT -i 1
/sbin/lidsconf -A -s /usr/lib/postfix/master -o CAP_HIDDEN -j GRANT -i 1
/sbin/lidsconf -A -s /usr/lib/postfix/master -o CAP_DAC_OVERRIDE -j GRANT -i 1
/sbin/lidsconf -A -s /usr/lib/postfix/master -o CAP_SYS_CHROOT -j GRANT -i 1
/sbin/lidsconf -A -s /usr/lib/postfix/master -o /etc/aliases.db -j READONLY -i 1
/sbin/lidsconf -A -s /usr/lib/postfix/master -o /var/spool/postfix -j WRITE -i 1
/sbin/lidsconf -A -s /usr/lib/postfix/master -o /etc/postfix -j READONLY -i 1
/sbin/lidsconf -A -s /usr/sbin/postdrop -o /etc/postfix -j READONLY
/sbin/lidsconf -A -s /usr/sbin/postdrop -o /var/spool/postfix -j WRITE
/sbin/lidsconf -A -s /usr/sbin/sendmail -o /etc/postfix -j READONLY
/sbin/lidsconf -A -s /usr/sbin/sendmail -o /var/spool/postfix -j WRITE

Considerações finais

Espero que este texto possa ajudar muita gente a melhorar a segurança de seus servidores e se aprofundar no mundo da segurança digital.

Em http://www.lids.org temos um FAQ completo onde podemos encontrar muito mais exemplos.

Obrigado por ler meu trabalho, espero que aproveitem bem.

Anderson Luiz Tamborim.
Y2h4ck@linuxmail.org

Fontes: http://www.lids.org
http://www.linuxsecurity.org

– eof —

>Inserindo data e hora no comando history

>Para adicionar a data e hora no comando history você precisa inserir o conteúdo “%h/%d – %H:%M:%S ” na variável HISTTIMEFORMAT, então faça:

# export HISTTIMEFORMAT=”%h/%d – %H:%M:%S “

Quando reiniciar sua máquina, ou fizer o logoff com o seu usuário, a variável automaticamente será desativada, ou melhor, não terá conteúdo, então você precisa adicionar no .bashrc do seu usuário.

Se você estiver utilizando o usuário root, acesse:

# vim /root/.bashrc

E adicione ao final do arquivo a exportação da variável:

export HISTTIMEFORMAT=”%h/%d – %H:%M:%S “

>Symbian development on Linux and OS X (Como emular symbian no Linux e MAC OS X)

>Neste link:http://www.martin.st/symbian/ há uma breve explicação de como fazer isso, mas estou escrevendo um paper melhorado voltado para pentest/análise de malware.

Introduction

Since version 1.03 of my gnupoc package, I’ve combined SDK patches, updated tool sources and gcc patches into one (slighly larger) package, instead of distributing lots of patches separately. People interested in the old approach can read the old version of this page.

The main goal of this gnupoc patch collection is to be able to build symbian projects on unix-like systems with as little changes as possible to the actual projects. This means that it e.g. uses the same mmp files and external makefiles for icons as on Windows.

My patches and tools are based on the original GnuPoc project.

Using this package, you can build applications for S60 1st, 2nd, 3rd ed and 5th ed, Symbian^3, and UIQ 3, on Linux and OS X. The SDKs can be unpacked and binaries and sis packages be built completely without wine.

The latest, unreleased version is available on GitHub. If you’re having problems, you may want to check whether it already has been fixed here.

News/changes

Version 1.20 (March 10, 2010) – Support for Qt 4.7.2 and Qt Mobility 1.1.1, support for installing CodeSourcery GCC 2009q1 (4.3) and 4.4-172, support for the symbian/linux-gcce mkspec in Qt 4.7.x, installing SDK headers with the canonical capitalization (keeping lowercase names via symlinks), support for replacing carbide style environment variables in pkg files in makesis, support for bitmaps in mifconv
Version 1.19 (November 17, 2010) – A critical fix for a bug in 1.18, where elf2e32 was unable to create binaries with UIDs in the unprotected range, on some OSes
Version 1.18 (November 15, 2010) – Bug fixes for Qt 4.7.0, support for Qt 4.7.1, a script for installing Qt Mobility, some improvments to elf2e32 and elftran, support for the new Symbian^3 SDK version
Version 1.17 (September 24, 2010) – Support for installing Open C 1.7.5 (thanks to Tero Hasu), support for installing Qt 4.7.0, in addition to Qt 4.6.3. See the gnupoc-package/sdks/README.qt file for instructions on setting up the Qt SDK.
Version 1.16 (August 12, 2010) – Initial support for using the Qt for Symbian SDKs for building Qt applications, preliminary support for the Symbian^3 SDK beta. See the gnupoc-package/sdks/README.qt file for instructions on setting up the Qt SDK. Additionally, assorted fixes and updates to the toolchain.
Version 1.15 (January 18, 2010) – Added support for some more parameters to elf2e32, fixed a crash in extmake, fixed a problem in one of the installer scripts, as pointed out by Anderson Lizardo.
Version 1.14 (December 1, 2009) – Added support for RVCT, based on patches by Anderson Lizardo, added support for both armv5 and armv5_abiv2. Added an installer script for the Open C/C++ plugins. Updated the bundled unshield source (fixing some 64 bit issues). Fix compilation of CSL GCC on newer linux distributions (newer versions of bison). Large updates to the elf2e32 replacement, fixing handling of some more uncommon combinations. Initial replacements for the elftran, gendirective, genstubs and getexports tools (needed for building armv5 binaries).
Version 1.13 (March 31, 2009) – Updated the S60 5.0 SDK scripts and patches to the 1.0 version of the SDK, recently released, some minor fixes.
Version 1.12 (January 22, 2009) – Fixed compilation with gcc 4.3, integrated a fix for ar in both EKA1 and EKA2 gcc (needed on e.g. Ubuntu 8.10), fixed building DLLs on the S60 3.2 SDK (thanks to Jean-Yves Baudy for pointing this out), assorted fixes for S60 5.0, fix building of the EKA1 gcc on x86_64/linux, initial support for compiling context-sensitive help (requires wine), other misc fixes
Version 1.11 (October 3, 2008) – Initial support for S60 5.0
Version 1.10 (September 4, 2008) – compilation fixes for g++ 4.3 (thanks to Mrinal Kalakrishnan and Jakob Kemi for sending patches!), some minor new features implemented in signsis
Version 1.09 (March 31, 2008) – adds support for S60 3.2, and has some minor bugfixes and new features for the included tools
Version 1.08 (February 27, 2008) – fixes a lot of issues on OS X Leopard. Seems to work fine on most Leopard machines, if you experience problems please let me know.
Version 1.07 (December 04, 2007) – fixes a regression in compiling the EKA1 gcc
Version 1.06 (November 26, 2007) – fixed a bug in elf2e32 which prevented it from working on S60 3.1, fixed some compilation problems on FreeBSD, added an initial patch for the S60 3.2 SDK beta (but no installer script yet, since I haven’t found a tool able to unpack the installer). Thanks to all who reported problems and helped solve them!
Version 1.05 (September 14, 2007) – a bugfix for signsis, deflate compression support for petran and elf2e32, build elf2e32 by default, an initial version of a svgt-binary encoder
Version 1.04 (September 2, 2007) – fixes for rcomp, petran and makesis for running on 64-bit linux, small bugfixes in mifconv and elf2e32, better error reporting in the new rcomp, completely new makesis for Symbian 9 SIS files, use unshield instead of i6comp.exe for extracting S60 SDKs
Version 1.03 (August 13, 2007) – support for UIQ 3.0 and 3.1, added most tools except gcc into the package, support for symbian 9 resources in rcomp, elf2e32 replacement, mifconv replacement, support for building the old GCC toolchain on OSX/intel
Version 1.02 (April 7, 2007) – calls external makefiles using wine, some more assorted bugfixes
Version 1.01 (March 5, 2007) – clarified the license, added instructions on doing a read-only installation of the SDKs, some other slight bugfixes
Version 1.0 (October 15, 2006) – initial release

Download the latest package above. First you’ll have to install a toolchain for the SDK you want to use. For S60 1st and 2nd ed, you need the EKA1 toolchain, for S60 3rd ed and UIQ 3, you need the EKA2 toolchain.
Installing the EKA1 toolchain

Refer to the tools/README file for more details on this process.

In addition to the GnuPoc archive, you need the source to the modified gcc release (local copy).

Unpack the GnuPoc archive, enter the tools directory, and compile gcc using the install_gcc_539 script:

tar -zxvf gnupoc-package-1.03.tar.gz
cd gnupoc-package-1.03
cd tools
./install_gcc_539 ../../gcc-539-2aeh-source.tar.bz2 ~/symbian-gcc

If you want to have a compiler for the THUMB target, build that with the isntall_gcc_539_thumb script similarly.

Then you can install the rest of the tools. These aren’t strictly necessary if wine is available, but recommended. (If omitted, the build scripts uses the exe versions in the SDK instead.)

./install_eka1_tools ~/symbian-gcc

Installing the EKA2 toolchain

Refer to the tools/README file for more details on this process.

In addition to the GnuPoc archive, you need CodeSourcery’s GCC. For Linux, you can choose to download the binaries, for other platforms you can compile it from source. (There’s also local copies of the Linux binaries and the source.)

To install the binaries, just unpack them (in your home directory):

mkdir csl-gcc
cd csl-gcc
tar -jxvf ../gnu-csl-arm-2005Q1C-arm-none-symbianelf-i686-pc-linux-gnu.tar.bz2

To compile it from source instead, unpack the GnuPoc archive and use the install_csl_gcc script:

tar -zxvf gnupoc-package-1.03.tar.gz
cd gnupoc-package-1.03
cd tools
./install_csl_gcc ../../gnu-csl-arm-2005Q1C-arm-none-symbianelf.src.tar.bz2 ~/csl-gcc

Then you can install the rest of the tools. These aren’t strictly necessary if wine is available. (If omitted, the build scripts uses the exe versions in the SDK instead.)

cd gnupoc-package-1.03
cd tools
./install_eka2_tools ~/csl-gcc

Note, this requires openssl libraries to be installed.
SDKs

Refer to the sdks/README file for more details on this process.

After downloading the GnuPoc package above, you still need to get the SDK you want to use from Forum Nokia. (The UIQ SDKs were available from http://developer.uiq.com earlier, but are no longer available.) The following versions are supported at the moment:
Version File name Install script Comments
S60 1st Edition, FP1, WINS nS60_sdk_v1_2.zip install_gnupoc_s60_12
S60 2nd Edition, WINS s60_sdk_v2_0.zip install_gnupoc_s60_20 Working emulator
S60 2nd Edition, FP1, WINS S60_SDK_2_1_NET.zip install_gnupoc_s60_21
S60 2nd Edition, FP1, CW S60_SDK_v21c_CW.zip install_gnupoc_s60_21_cw Working emulator
S60 2nd Edition, FP2, WINS s60_2nd_fp2_sdk_msb.zip install_gnupoc_s60_26 Working emulator
S60 2nd Edition, FP2, CW s60_2nd_fp2_sdk.zip install_gnupoc_s60_26_cw Working emulator
S60 2nd Edition, FP3 s60_2nd_sdk_fp3.zip install_gnupoc_s60_28
S60 3rd Edition, Maintenance Release S60-SDK-0616-3.0-mr.3.749.zip install_gnupoc_s60_30
S60 3rd Edition, FP 1 S60-SDK-200634-3.1-Cpp-f.1090b.zip install_gnupoc_s60_31
S60 3rd Edition, FP 2 S60-3.2-SDK-f.inc3.2130.zip install_gnupoc_s60_32
S60 5th Edition S60_5th_Edition_SDK_v1_0_en.zip install_gnupoc_s60_50
N97 SDK Nokia_N97_SDK_v1_0_en.zip install_gnupoc_s60_50
Symbian^3 Symbian_3_SDK_v0_9_en.zip install_gnupoc_symbian3
UIQ 3.0 UIQ3.0SDK.exe install_gnupoc_uiq_30
UIQ 3.1 UIQ3.1SDK.exe install_gnupoc_uiq_31

(Everything is tested using Wine 0.9.15 and remote X to X11.app on OS X, things might work better or worse on other setups.)

The installation script uses included prebuild binaries of p7zip and a specially patched version of unshield for linux/x86. If you can’t run these, see sdks/unshield/README and sdks/7z/README for instructions on compiling native versions of them.

Example on installing an SDK:

tar -zxvf gnupoc-package-1.03.tar.gz
cd gnupoc-package-1.03
cd sdks
./install_gnupoc_s60_26 ../../s60_2nd_fp2_sdk_msb.zip ~/symbian-sdks/s60_26

The install scripts makes almost all files lowercase and patches the build scripts. The exception to the lowercase rule is the GLES include directory and libGLES_CM.lib, for compatibility reasons.

In order to use the SDK, you’ll have to set the EPOCROOT environment variable to point to your SDK and add the toolchain directory and the epoc32/tools directory of the SDK to your PATH. This might be cumbersome if frequently switching between different SDKs. To ease that situation, you can install some wrapper scripts:

./install_wrapper ~/gnupoc

If you’ve installed the toolchains to other directories than mentioned here, edit ~/gnupoc/gnupoc-common.sh and set EKA1TOOLS and EKA2TOOLS to point to where you’ve installed them. With these wrappers, you only have to have this single directory in your PATH, and depending on the EPOCROOT variable, the correct toolchain is included and scripts from the current SDK are called.
Wine setup

If you’re going to use some tools through wine, you have to copy uidcrc.exe from the epoc32/tools directory in the SDK to a directory in the wine path, e.g. ~/.wine/drive_c/windows. By default, wine is only needed for using the windows compilers, but you might use it to run the original tools instead of the native replacements, if you have problems with the native ones.

If using external makefiles (as for building icons in 3rd edition) with wine, copy make.exe and mifconv.exe, too. make.exe probably can be used from any SDK version, but you’ll need mifconv.exe from the 3.0 SDK, since mifconv.exe in 3.1 has some problems starting within wine. Note, this is only needed if omitting the extra EKA2 tools above.

In order to build binaries for the emulator, you’ll need a windows compiler. Unfortunately, these have to be copied from a real installation. (Perhaps it’s possible to do the complete installation of them within wine?)

For the WINS compiler, I’ve used Visual C++ Toolkit 2003, set up according to this page. Just copy over the C:\Program Files\Microsoft Visual C++ Toolkit 2003 directory to e.g. ~/.wine/drive_c/msvcpp2003.

For the WINSCW compiler, you can install Carbide C++ from Forum Nokia. These instructions apply to Carbide C++ 1.0, for newer versions you might need to use slightly different paths. Copy C:\Program Files\Carbide\plugins\com.nokia.carbide.cpp.support_1.0.0 to e.g. ~/.wine/drive_c/codewarrior.

These have to be added to the wine path. Edit ~/.wine/user.reg, and add this after the WINE REGISTRY Version 2 line:

[Environment]
“Path”=”c:\\msvcpp2003\\bin;c:\\codewarrior\\Symbian_Tools\\Command_Line_Tools;c:\\windows;c:\\windows\\system”

(Of course, if you’ve already got a similar environment definition in that file, add it there instead.)

When using the CW compiler, you’ll also need to add these variables to your unix environment (the perl build scripts need them, adding them to the wine environment isn’t enough, and if set in the unix environment, they’re also automatically available in wine):

export MWCSym2Includes=”c:\\codewarrior\\symbian_support\\MSL\\MSL_C\\MSL_Common\\include;c:\\codewarrior\\symbian_support\\MSL\\MSL_C++\\MSL_Common\\include;c:\\codewarrior\\symbian_support\\MSL\\MSL_Extras\\MSL_Common\\include”
export MWSym2Libraries=”+c:\\codewarrior\\symbian_support”
export MWSym2LibraryFiles=”MSL_All_MSE_Symbian.lib;gdi32.lib;user32.lib;kernel32.lib”

Using it

After installing everything, you’re able to compile things in the same way as on windows.

In order to compile most projects, the usage of upper/lowercase for filenames must be cleaned up somewhat. The install scripts clean up the usage of lower/upper case in the bundled examples (by forcing them to lowercase), so the should all be buildable directly. (Or at least it tries to, it might not work reliably in stranger examples.)

To build the hello world example on a S60 3rd edition SDK, do the following:

export PATH=~/gnupoc:${PATH}
export EPOCROOT=~/symbian-sdks/s60_30/
cd ${EPOCROOT}/s60ex/helloworldbasic/group
bldmake bldfiles
abld build gcce urel
cd ../sis
makesis helloworldbasic_gcce.pkg helloworldbasic.sis

For 1st and 2nd edition, use the paths for those SDKs and build using abld build armi urel instead. The .pkg files for those examples are written for the THUMB target. Either update the .pkg file and replace all occurrances of thumb with armi or build them using abld build thumb urel (which requires that you built a thumb compiler).

On 3rd edition, all sis files must be signed before they can be installed. If you haven’t already got a key and certificate pair, generate them:

makekeys -cert -expdays 3650 -password mykey.key mycert.cer

This will prompt for information to enter into the certificate, and create a certificate valid for 10 years. (To create a certificate without a password, just leave out -password. The makekeys tool included in this package has a similar but not identical syntax compared to the makekeys tool in the real SDKs.) Then sign the sis file using this certificate:

signsis helloworldbasic.sis helloworldbasic.sisx mycert.cer mykey.key

The newly generated .sisx file can then be installed on a device.

The version of makesis for Symbian 9 included in this package is also able to sign the package directly when creating it, using a built-in certificate. To use this feature, just add the command line parameter -c.
Contact

// Martin Storsjö

>Mobile Phone Platform Researcher

>Veja o perfil deste profissional

Mobile Phone Platform Researcher
Job Description:

The mobile phone platform researcher will perform as a hands-on specialist in the identification, discovery, evaluation and in-depth analysis of security issues of the various mobile phone software platforms.
Primary Responsibilities:

Research and Analysis of mobile phone software.

Minimum Requirement:

Good knowledge of the Apple iOS, Windows Mobile, Symbian and/or Blackberry internals.
Experienced in developing and reverse engineering embedded applications for mobile devices.
Good understanding of Wireless Data Link Layer, including WLAN, Wi-Fi and WiMAX.
Good understanding of mobile network protocols, including GSM, 2.5G and 3G.

>Análise de Malware em Mobile

>Particulamente, sempre gostei de mobile, mas por um tempo dei um tempo neste segmento. Agora como hobby estou voltando a estudar sobre isso. No passo em 2004/2005 desevolvia para Palm (hoje comprado pela HP).

Tenho um mobile symbian, smartphone Nokia e63, qual vou fazer uns testes e postar aqui no blog.

Por enquanto estou instalando a plataforma e tambem vou postar o HowTo aqui.