Judging by the contents of the emails I receive on a daily basis, I can fairly safely say that the world is full with people that don’t bother to look for technical vulnerabilities to hack my computer, but simply try to trick me into compromising my personal files or banking information for their own financial gains. It’s clearly beyond my reach to personally stop those naughty tricksters, but there is at least one element that can be used to filter out those attempts – one of their favorite attack vectors: email.
Scanning for malicious activity in email is essentially a lost battle as attackers have the initiative because for the sake of communication, unknown threats are more than often passed on as valid applications when they’re not. Those type of attacks – directed at the person reading email – are generally referred to as phishing attacks. What makes them special, is that these depend on social engineering rather than malware at the first stage of the attack. Filtering out that rubble from your daily email can be tiresome, just like unsolicited commercial bulk email or spam. As it turns out, filtering phishing can be done in more or less the same way as filtering spam – when using a properly trained spam filter. This post is the first part about setting up a spam filter on a multi-user email server and will focus on training a spam filter. In the next part I’ll discuss how to use this to create a server that can receive email from the vast majority of email servers around the globe.
Anyone who has ever tried to install a modem or configure an Internet connection has almost certainly wondered if there’s any traffic flowing back and forth from networks. Observing network traffic that is generated by a PC or Mac is pretty easy with wireshark. When doing so, you’ll not only see traffic caused by the operating system, but also from any program running on it, which is probably the result of your personal preferences or interaction with them; such as an email client checking for new messages, or instant messaging sending keep alive requests to a server. Separating host from human, from within a single PC environment requires some preparation, but is still fairly easy using a virtual machine. The following post will go quite deep into the internals of IP-networks examining network traffic with tcpdump/wireshark from within a virtual machine, a guest OS, and make both guest and host almost invisible to the network.
Posted in Computer network, IT Security, Linux, Shell script
Tagged commandline, FreeBSD, Kali, Linux, Mac OS X, tcpdump, Virtualization, Wireshark
After having generated pre-shared secret keys for IPsec VPNs, as recommended by the NSA, I wondered how “secure” the keys themselves actually were. The NSA specifically mentions the use of “large, high entropy, pre-shared keys”. Quite some time ago I wrote two posts about passwords, passphrases and a very crude and naive, home brewn, exhaustive search algorithm a.k.a. brute force tool. Now, digging a little further, but this time more into the topic of password strength, I came across appendix A of NIST SP-800-63-2. From my earlier searches I remembered this page, which lines up nicely with SP-800-63 appendix A.1, and the math behind it is not that difficult (yay!) As it turns out, this all here is pretty much on Wikipedia’s page on password strength, but this post is my 2 cents on this subject, including an offline random key generator that runs in your web browser. To calculate the strength of a password as ‘entropy’, all that is needed is:
While it is true that a firewall today still is an important piece of networking equipment to logically separate different networks, its functionality has shifted over the years from plain network filtering to application level protocol inspection and intrusion prevention and then some. As such it is a valuable asset that should be part of a broader security architecture, which is not often the case. It is quite common that time and budgets for IT security is limited, which is quite logical if you’re not running an IT security business but only try to do business securely. And placing a firewall at an entry point in the network seems sufficient at first glance. As the (in)famous old saying goes: “Security is like , a little is better than none at all”. There is one big risk that I’d like to point out that should be quite obvious, but a lot of people still seem to be missing this: If a single barrier defense mechanism fails to detect a security threat, it will not be able to prevent it. That, plus at least 5 other disadvantages. Continue reading
Today, access to the internet is practically everywhere. Private communication across it is often taken for granted. There is an entire industry around secure communication and a lot of the equipment used for securing network boundaries, VPNs specifically, relies on the IPsec protocol to keep data transmissions across an unclassified computer network secure. VPN equipment in general, comes in a wide variety of different shapes and sizes, and not all speak the IPsec protocol but a lot of them do. IPsec is an open standard published by the IETF in RFC6071. The funny thing with IPsec is, is that IPsec connections often only work well if there is an (almost) identical twin in terms of equipment and firmware at the other end of the line. With some exceptions of course. But shouldn’t this be the other way around – that is: working always, with some exotic exceptions – especially because it’s an open standard? I’ll bet that any network equipment vendor has at least one IPsec capable device to offer, but none of them seem to bother if, or how, they work with other similar equipment from a competitor. This post is about life with IPsec on Linux and how this led to an IPsec configuration generator. Continue reading
Posted in Crypto, IT Security, Linux
Tagged AES256, Debian, encryption, gateway, IKE, IPsec, Linux, NSA, Privacy, RSA, SHA512, tcpdump, VPN, Wireshark
OpenSSL is a tool that can be used to setup a (simple) PKI, but in its most basic form a command line tool with an endless amount of options. I find myself searching for the correct syntax of OpenSSL to create a new CA, sign a CSR, etc. over and over again. It is very likely that there are quite a few other solutions that work easier, but OpenSSL is practically on every Linux/BSD box. Since I’ve done this with OpenSSL probably a dozen times in the last 8 years or so, it was obvious in retrospect: It is simply to complex to memorize, especially if you’re not in the business of setting up and managing an OpenSSL PKI on a daily basis. This post is here primarily as a reminder and will probably not add anything to existing documents as there are plenty around; some as early as the beginning of this century(!) This here is for me 😉 But if you’re curious to see how to create a CA and digital certificates for your website, mailserver or VPN and don’t want to rely on stock defaults that may have been installed for you, then you may want to read on. I’ll be using Elliptic Curve and SHA512, instead of RSA and SHA1.
Posted in Crypto, IT Security, Shell script
Tagged AES256, Apache, CA, commandline, ECDSA, Elliptic Curve, encryption, IT Security, OpenSSL, PKI, RSA, SHA512, TLS, unix, Windows
“Did you get my email?” If you have ever asked this question to anyone, then this post might interest you. I had my doubts about sharing this, since the trick described here does invade the privacy of the recipient somewhat, but spammers have been using this ever since HTML email became possible, almost two decades ago – if I recall correctly. Security awareness is important, so why not expose an old trick.
If you’re running a mail server on the Internet, you will surely be familiar with spam and malicious email. This post is the last part on how to identify and isolate malware in email while respecting your users’ email privacy. Since identification and isolation of suspected malware was partly discussed in part I, this part will deal with how to extract suspected malicious binaries from attachments, create ClamAV signatures, use VirusTotal from the command line and sort suspected malicious emails in a quarantine directory.
Phishing, Trojans, Worms and other malicious activity in email. These series of posts make quite a lengthy write-up on how to use Unix shell script and Perl to dissect large amounts of email all at once without disrespecting email privacy and verify suspected malicious results with VirusTotal using the API and LWP::Useragent. This first part will cover on how to get all suspicious emails from a mail server and stripping out all the attachments. Continue reading
Posted in email, FreeBSD, IT Security, Linux, Mac OS X, malware, Perl, Shell script
Tagged antivirus, BSD, Email, IT Security, unix
Storing files overseas or “in the cloud” has become somewhat of an issue lately with spying activities of various nations. I think we’ve just seen the top of the iceberg, but at the same time I hope I’m wrong. In any case, cheap cloud storage is just to good to give up just because of unethical practices by governments. And although I think I don’t have much to hide, I’d like to keep my files private and only share when I decide it is appropriate to share any of them. That should be part of basic human-rights and therefor non-negotiable, but apparently some governments think and act otherwise. I’m sure a lot of people are wondering on how to protect their data, and so am I. This post is about basic file encryption.