21 Jan 2013

Grey Hat Hacking & Standford

 

Standford University - Cryptography Course, Completed.
I could not be more satisfied with that being completed.. It has taken a lot of my time, and I were almost about to lose it, but got through it with a great result. I am awaiting my certification by Dan Boneh.

This book, I have gotten inspired of, and are hooked! - now I'm getting back on track where my motivation comes in, and just swallow page by page.

I got inspired by some InfoSec guy, and I have being followed him for some time. Although I decided to move on from Secrets and lies to this one, since I did not found that book to be in my entire interest! .. But I have to mention, sooner or later I will complete it :-) .. Just not ATM!

 I find it most essential to study this e-book. The thing is, I'm starting on The Business Academy the 24'th January 2013 - 2'th Semester in Computer Science, and do not got that much time off probalby to read, since there would most likely be a lot of challenges within scope of 2013. 

Mentally, I'm ready for the challenges and unexpected, so I'll give it my 110%!.

The Website www.maxjensen.dk - Is recently updated with a brand new design, because I felt like there needed to be a bit more structure of my postings and information posting on there. Disregard that one.com - my hosting company allowed me to modify on a Mac, which I am glad for! - the other website I had, I had to go onto my windows computer, and modify everything.. 

 I will be posting my opinion about the book when I finished reading. Meanwhile I will sit back with a nice cup of coffie, and enjoy reading this! 

The place I got inspired of to read this book is listed bellow!


Resource link: http://www.t3rm1t.blogspot.dk/

-----------------------

  • Authentication and authorization The best applications ensure that authentication and authorization steps are complete and cannot be circumvented. 

  • Mistrust of user input Users should be treated as “hostile agents” as data is verified on the server side and strings are stripped of tags to prevent buffer overflows. 

  • End-to-end session encryption Entire sessions should be encrypted, not just portions of activity that contain sensitive information. In addition, secure applications should have short timeout periods that require users to re- authenticate after periods of inactivity. 

  • Safe data handling Secure applications will also ensure data is safe while the system is in an inactive state. For example, passwords should remain encrypted while being stored in databases and secure data segregation should be implemented. Improper implementation of cryptography components have commonly opened many doors for unauthorized access to sensitive data. 

  • Eliminating misconfigurations, backdoors, and default settings A common but insecure practice for many software vendors is to ship software with backdoors, utilities, and administrative features that help the receiving administrator learn and implement the product. The problem is that these enhancements usually contain serious security flaws. These items should always be disabled and require that the customer enable them, and all backdoors should be properly extracted from source code. 

  • Security quality assurance Security should be a core discipline when designing the product, during specification and development phases, and during testing phases. Vendors who create security quality assurance teams (SQA) to manage all security-related issues are practicing due diligence.
Posted by at No comments:

21 Dec 2012

R3verse - Linux Hardning guide v.1




▄▀ Linux Hardening distribution tutorial provided by ▄▀





Rquirements:

[*] Linux distribution 64 bit or 32 bit.
[*] Knowledge of basic linux commands! 
[*] Knowledge behind the scenes of executing linux commands
[*] Encryption knowledge



I will like to thank the following for motivating me, to provide,
this tutorial right here, and why it's neccesary!.
In my opinion, you gotta treat shell access, like it is physical access!.
Before we start, I would like to give some credit around here.


Thanks to:

HAK5


There is several ways of hardening linux distributions!.
In this scenario, we will dive into Ubuntu, and we will enumerate,
my way of doing it, in a linux environment.

Okay, so let's dive right into it.
No more wasting time, doing 1337 copy + paste, of any source code!,
Now I, breakdown concept tools, and techniques, for hackers, network gurus, and IT ninjas.
It's all about to make internal/local security, at your Linux box!. Off we go...

This thread will cover, How To Linux Hardening, with my opinion

[*] Encrypt files with GPG
[*] Chattr
[*] Encryption on harddrive partition
[*] Linux Distributions & scripts to hardening!
[*] Umask benefits!


GPG encryption folders & files

So basically GPG & GPGdir, is a tool provided by default in most likely,
any linux distribution. You might want to enumerate your own way of encrypt,
a file/directory. In this scenario, I'm going to show you the way I do, for hardening my own Linux environment.

Below here you will see my output from my terminal,
this indicates how gpg works when I entered a pass phrase,
and used cat to view the output.

Code:
root@r3verse-M11x:/test1# cat test2.txt
hello there
root@r3verse-M11x:/test1# gpg -c test2.txt
gpg: gpg-agent is not available in this session
root@r3verse-M11x:/test1# ls -l
total 8
-rw-r--r--. 1 root root 12 Apr 30 23:44 test2.txt
-rw-r--r--. 1 root root 60 Apr 30 23:45 test2.txt.gpg
root@r3verse-M11x:/test1# cat test2.txt.gpg
% ��
�+��Y�� ���-�y~�
����(Ԉ[�7�"����;,x8����root@r3verse-M11x:/test1#

Resources:

GPG - file encryption
http://www.cyberciti.biz/tips/linux-how-...sword.html

GPGdir - directory encryption
You might, want to study this on your own!
http://cipherdyne.org/gpgdir/download//


Chattr - user privileges attributes

Okay, we now explained how GPG works, now let's dive into
Chattr, which you mind find a bit tricky.

As you may see in this scenario, we set our attribute on test2.txt
afterwards we determine, which file had the immunate flag "i". Below you will find my output,
and which kind of access to the file I have.

Code:
root@r3verse-M11x:/test1# chattr +i test2.txt
root@r3verse-M11x:/test1# lsattr *
----i--e- test2.txt
root@r3verse-M11x:/test1# ls -l
total 4
-rw-r--r--. 1 root root 12 Apr 30 23:44 test2.txt
root@r3verse-M11x:/test1#

Even if you try to nano test2.txt
and try to modify this bit of code, you WONT,
be able to.. even as root!. ;-) scary huh?. This is my output...

Now imagine, how great is this security enchance!?..
Pretty good right.

To remove the file simply, use the command below.
I just added a minus symbol instead of a plus..
You can now change permissions by chmod or remove it by rm,
in the way you want!.

Code:
root@r3verse-M11x:/test1# chattr -i test2.txt


WARNING - BIG IMAGE!
Spoiler (Click to View)


Encryption on harddrive partition


We all know of Truecrypt right...Well this is ONE solution.
To point it out, we have of course several ways of disk encryption!..
Such as How-To by David Braun
The other ones, I have to credit my own study. :).

Below here, you can find more info on it. I won't dive into it, since I'm trying,
to keep this tutorial small and smooth to understand n' follow!, for you to enjoy!

[*] Truecrypt
http://www.truecrypt.org/downloads

[*] Bastille
http://www.bastille-unix.org/running_bastille_on.htm

[*] Hardened Linux distribution
http://hardenedlinux.sourceforge.net/?sub=doc

[*] EnGarde
http://www.engardelinux.org/


Umask benefits!

To start off with, I have to say, you might think, well chmod is one way of
change the permissions of a file / directory. Right... well you might not know this yet then. :) ... We'll dive into it in a bit.

Definition of Umask:

A great tool provided to automate the permission assignments.
There is a standard permission for Umask, which set the permissions for files and folders,
which are created in an environment where 002, which means, the files which we focus on would be set with the permissions (rw-r--r--).
Folders will by default, used this command, being set to 775 (rwxr-xr-x).

We are focused on our own asset of security implementing,
of our own linux environment right?.

Now, the best solution for YOU, to implement by using the Umask command would be setting the file / folder to 0037.
This will gain the permissions 640 (rw-r--), and folders by default, 
will have permissions 750 (rwxr-x---).

Below here I show you how I create a file,
showing the permissions of the user by root, and what I did change it to.
Now imagine, if you had several users, you could set like in my case r3verse,
to only have the minimal amount of permissions!..

I have a basic rule. Don't ever make an attackers job easy!
EVER!.

My PoC here in this scenario:

Code:
root@r3verse-M11x:/test1# umask
0022
root@r3verse-M11x:/test1# umask 037
root@r3verse-M11x:/test1# umask
0037
root@r3verse-M11x:/test1# su r3verse
r3verse@r3verse-M11x:/test1$ touch test2.txt
touch: cannot touch `test2.txt': Permission denied
r3verse@r3verse-M11x:/test1$ ls
test2.txt
r3verse@r3verse-M11x:/test1$ ls .l
ls: cannot access .l: No such file or directory
r3verse@r3verse-M11x:/test1$ ls -l
total 4
-rw-r--. 1 root root 37 May  1 01:14 test2.txt
r3verse@r3verse-M11x:/test1$ umask
0002
r3verse@r3verse-M11x:/test1$

If you have any questions, regarding this thread,
please feel free to post a comment! ;-)

Posted by at No comments:

19 Dec 2012

Standfords University - Cryptography Part 4!

Python Programming Week 4 Completed

BruteForcing

Programmerings opgaven var rimelig simpel, der skulle bare lidt SQL injection indblandet i programmeringsarbejdet.

Herunder her koden som jeg benyttede mig af for at extracte enhver byte af de hexidecimaler fra hjemmesiden, til at kunne løse opgaven!



Posted by at 1 comment:

27 Nov 2012

Standfords University - Cryptography Part 1!

Kære Læsere!

Der er nu gået noget tid, siden jeg sidst har blogget.
Da jeg har været under press vedrørende min eksamen!

Undervejs er der sket følgende:

[+] Eksamens forberedelse på 1. Semster - Datamatiker Uddannelsen.
[+] Standfords University - Cryptography

Kurus Startet:

✔ Standfords University - Cryptography

Opnået følgende:

-  Programmerings opgave løst
-  Problem set 1 næsten fejlfrit!

Der vil dog gå noget tid før jeg kommer til at blogge igen,
da jeg har en deadline for eksamen sammen med min gruppe som er D. 7

Efterfølgende mit eksamensprojekt, bliver der igen blogget med updateringer fra Standfords University, da jeg har flere opgaver at løse, før jeg starter på 2. Semester på Datamatiker uddannelsen.

Når det er sagt, bliver vi på 2. Semester introduceret til noget som bliver kaldt for "CAos"
som jeg ser rigtig meget frem til at gå i møde! :).

Credits

^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~

Takket være min reference: Martin Dipo Zimmermann
fik jeg startet lige i tide på dette gratis kursus hos Standford University.
Jeg vil derfor takke dig Martin for hvis du skulle læse dette! ;-).,

Posted by at 2 comments:

17 Nov 2012

Dato: 17-11-12


Introduktion

 

Hej!

Jeg har opstartet denne blog for at kunne undervejs tilføje notater til og kommentarer til mine projekter som kommer løbende, så som på mit studie eller i min hverdag.

Hovedsageligt når jeg begynder at tage flere kursuser vil der også komme opdateringer omkring det.
Imellemtiden hvis du interessere dig for IT-sikkerhed og mangler et lille tip, så besøg min hjemmeside.

Hjemmesiden: http://www.maxjensen.dk


Kurus Startet d. 16-11-12:

✔ ISMS-ISO 27001 ( Information Security Management System ).

Mit mål med denne certificering er at jeg ville kunne være i stand til at implementere bedre løsninger for virksomheder i fremtiden når det gælder IT sikkerhed.


Følg mig gerne på Linkedin :)
 
TRYK HER https://www.linkedin.com/profile/view?id=172943201
Posted by at No comments:
Subscribe to: Posts (Atom)