Domain: fish.com
Stories and comments across the archive that link to fish.com.
Comments · 20
-
Re:This is bound to help the cause...
Nothing puts executives on edge like the word CHAOS in big, bold letters
:p
Reminds me of when I installed SATAN on my network; boy did I got some strange looks from my boss that day. -
Re:Hardening systems works!First, Solaris 9 comes with 61 listening ports, as shown in the analysis here. I did the netstat on my VMware image of a completely virgin Solaris 9 system. I thought it was 60+ for TCP alone, but this is still over 10 times what Red Hat 9 was shipping with. Solaris 8 was worse, so Sun is improving.
Next, tnamed is still active on Solaris 9. From the same box:
# grep tnamed
/etc/inetd.conf name dgram udp wait root /usr/sbin/in.tnamed in.tnamedFinally, as another poster pointed out, Sun's got a great tool in JASS, a vendor-supplied tool. And we all owe a debt to Titan, the first majorly popular Sun hardening program. YASSPis also out there for Sun.
-
For the record...
The original SATAN was introduced by Dan Farmer back in 1995.
The article reminds me of the furor over the original SATAN being released. H.D. Moore, who wrote it, rightly points out that there are commercial tools that do it better, and it's known that the kiddies have copies of those. Why pick on the open-source tool? I think Rob is being a bit provocative." Despite the headline ("Security tool more harmful than helpful?"), the article is actually pretty balanced. -
Other Useful Utilities
-
Re:If I know something about batteries...
Won't this create cleaner air AND dumps filled with highly toxic battery-waste?
Lead-acid batteries are highly recyclable. (Though, like computers, because of poor regulation such batteries are often just dumped on third-world nations.)
-
Re:WHY TELL US YOU ARE ATHEIST???
"Satan is for real. I've witnessed it
I've seen Satan too, and once upon a time it was the definitive tool in this class, but honestly, there are much better tools out there these days. Still, at least Satan is still slightly alive, which is more than can be said for god.
-
This is how i got started
I first read Improving the Security of Your Site by Breaking Into it by Dan Farmer (author of Satan). It is an old article, but a classic and got my interest going.
-
Re:Nagios
Nope. SATAN was a vulnerability probing tool that came out of SGI quite a while back. SAINT was based on it (at least in function, I don't know if the code was based on it). They have nothing to do with Nagios.
The previous version of Nagios was called Netsaint, but they changed the name to Nagios because of possible trademark problems with WebSAINT, which is a web based tool that uses SAINT.
From the notice at the bottom of netsaint.org: NetSaint is not affiliated with World Wide Digital Security, Inc. (WWDSI); Richard S. Carson and Associates, Inc; and the marks WEB SAINT, SAINT, SAINTWRITER, SAINTEXPRESS, and SAINTBASIC owned by Richard S. Carson and Associates, Inc.
And I may as well mention that Nagios/Netsaint is a really great tool and I highly recommend it. It won't, however, keep you up to date on "suspicious" activity - it's mostly for just making sure that your server and any services that run on it are going.
-
Re:Rule #1
But don't worry, security is a simple thing, and even someone that knows nothing of VMS can fake it in a few days.
Why does this make me believe that you are probably also faking your skills in Security.
I've been working in Network/System professionally for about 5 years now, and the one thing that I learn over and over, is that Security is by far the most demanding discipline in the IT world.
It's far from simple.
From your comments, it sounds like you could be replaced by a small collection of shell scripts.
Post your real name/company so nobody here has the misfortune of hiring you. -
The TCTI can't believe no one's mentioned The Coroner's Toolkit. Written by Dan Farmer and Wietse Venema, those crazy kids that wrote SATAN, back in the day. It has all kinds of fun tools for poking around backstage on a *nix box, ostensibly forensics-related work after a machine compromise, but if you accidentally delete something important, you could pretend that someone else broke in and did it. =)
From the FAQ:
What the hell is it? The Coroner's Toolkit (TCT) is a collection of tools designed to assist in a forensic examination of a computer. It is primarily designed for Unix systems, but it can [do] some small amount of data collection & analysis from non-Unix disks/media.
Features: Notable TCT components are the grave-robber tool that captures information, the ils and mactime tools that display access patterns of files dead or alive, the unrm and lazarus tools that recover deleted files, and the findkey tool that recovers cryptographic keys from a running process or from files.
"Take this object, but beware! It carries a terrible curse!"
The advantage is has over some recovery options is that it's entirely post-mortem. If you just deleted the boss's laundry-list, you could go download it, build it, and stand a pretty decent chance of recovering your file.
The disadvantage is that, perhaps like a real autopsy, it's not for the faint of heart... -
The TCTI can't believe no one's mentioned The Coroner's Toolkit. Written by Dan Farmer and Wietse Venema, those crazy kids that wrote SATAN, back in the day. It has all kinds of fun tools for poking around backstage on a *nix box, ostensibly forensics-related work after a machine compromise, but if you accidentally delete something important, you could pretend that someone else broke in and did it. =)
From the FAQ:
What the hell is it? The Coroner's Toolkit (TCT) is a collection of tools designed to assist in a forensic examination of a computer. It is primarily designed for Unix systems, but it can [do] some small amount of data collection & analysis from non-Unix disks/media.
Features: Notable TCT components are the grave-robber tool that captures information, the ils and mactime tools that display access patterns of files dead or alive, the unrm and lazarus tools that recover deleted files, and the findkey tool that recovers cryptographic keys from a running process or from files.
"Take this object, but beware! It carries a terrible curse!"
The advantage is has over some recovery options is that it's entirely post-mortem. If you just deleted the boss's laundry-list, you could go download it, build it, and stand a pretty decent chance of recovering your file.
The disadvantage is that, perhaps like a real autopsy, it's not for the faint of heart... -
You should also use Tools in-house
External audits are good because they bring in experts who focus on finding vulnerabilities in your network. These experts will come armed with a variety of vulnerability assessment tools to perform their audit. The only problem is that it will almost always happen less frequently than vulnerabilities are discovered, so this should only be 1 part of the overall solution.
You should adopt this practice internally, because if the tools are set up to check for vulnerabilities, you can be much more proactive about finding them than simply by scheduling consultants to come every few weeks, months, year. There are a variety of tools available, both freely and commercially.
A good tool will be updated frequently, check a lot of bugs, including the most critical (SANS Top 20, BugTraq, CERT.
Free Tools
SATAN -- Security Administrator Tool for Analyzing Networks
SAINT -- Security Administrator's Integrated Network Tool -- based on SATAN, GNU
SARA -- Security Auditor's Research Assistant -- similar to SATAN/SAINT check the Freshmeat page
NESSUS -- another free tool
Commercial Tools
ISS has a variety of tools avaiable depending on your needs
NeXpose -- try the free demo, great ui, demo only lets you assess 1 IP at a time though :( Here is a review
A Networking Computing article on Vulnerability Assessment tools. Reviews many of the major vendors (so I won't list them all). Includes some of the free tools.
Here is another overview of security tools to get you started. -
Sun bitchings
Nice to see they didn't do a roundabout releasing the OS, however when I think of Solaris I don't think much of its x86 arch. For those who've used it as well would know it's extremely an intense OS not made for anything under about 192mb ram, and a nice processor. It's CDE under x86 is like watching the thickest cement being sucked through a straw. Slow and clunky.
On the Sun platforms it's great, but Sun really layed it on think with enough Java to wake the dead. I like being able to jumpstart machines easily, and wish Dan Farmer and team would have kept their Titan program running over at Fish.com.
All in all it (Solaris) has its purposes, how much of that is on x86 is opinionated, and my opinion is, it shouldn't be -
TCTOr, The Coroner's Toolkit written by Dan Farmer (Earthlink) and Wietse Venema (IBM) will show you not only files that were written but also those that were deleted after the instalation and could even undelete them for you. Unfortunately, I don't think they have covered ReiserFS, but their kit works for many other filesystems, including ext2. Their kit was intended for post mortem examinations of compromised systems but should work in this case as well.
You can also type:
# find
/etc -mmin 10
to see all the files that were changed in /etc in the last ten minutes. -
Re:Not just for local CGIsFor those afraid of the security issues associated with running CGI scripts locally -- this is a development tool only.
Does it have to be only for development? Assuming it can be done safely, imagine using local CGI scripts as an alternative to local shell scripts. This becomes particularly relevant for your casual users, epsecially as a means of establishing Linux as an OS for the computer novice. Imagine J. Random User being able to use Mozilla as their program launcher -- everyone and their mothers've already learned how to more or less use web browsers.
And using the web browser as an interface is certainly not a new idea. Even before IE sprung up (and the infamous "The web browser is part of the OS" statement along with it), we had software packages like SATAN doing this back in early '95. And if we look at the web browser abstractly, as a mechanism that allows files to be selected, retrieved, and viewed, its origins can be traced back to products like Norton Commander.
-
Re:Linux microkernel
It's Win2k kernel that has 30-40 million lines of code! That's jumbo! Read: http://www.fish.com/security/20-20-essay.html
And Linux kernel itself is around 2 - 2.5 million lines of code. -
Linux Eraser?
That article is interesting! It seems as if the best approach to data security if possible, is to carefully section off on a new hard drive with which to begin, a partition meant to be used only for encrypted data, then rigorously avoid ever writing plaintext onto that partition. (This probably would work fine as well for a "neutral" used hard drive, unless you managed to buy such a used hard drive on eBay from a child molester with extensive photographic and scanning facilities, or from an Iraqi nuclear-secrets spy with sloppy security habits).
Is there a good program (preferably open-source) available to do as much scrubbing as possible of a "tainted" hard drive or portion thereof, given the physical limits of a typical hard drive writing mechanism as described in the aforementioned article?
-
Definitely susceptible
Peter Gutmann wrote an outstanding paper on recovering data from various media, especially hard drives. Bottom line: once it's written, you can almost always get it back eventually.
His paper is http://www.fish.com/security/secure _de l.html and is a good read.
Favorite fact: Freezing your RAM (like, -60 degrees C) makes the data easier to recover. Yeah, that's right, I said the RAM, not just the drives. Go read the paper.
:-) -
Secure deletion paperThe best paper I've seen is here. Its a bit old (1996), but has lots of useful info.
Briefly, the main problems are the "ghost" of the old data, track misalignment leaving part of the old data on the side of a track, and bad sectors which are marked off by the drive electronics. There are also issues with drives that promise to write the data to the store immeditately, but in fact just cache it.
The only thing you can do is overwrite with random data several times in the hope that this will be enough.
Paul.
-
securified
If administrators kept on point checking out advisories as well as following forums such as securityfocus, etc. This wouldn't be a problem.
When someone has to go as far as detailing a document on recovering a cracked box you have to stop and wonder about the level of security this person knows about since their machine was "rooted" in the first place.
Sure you could moan and bitch about script kiddiots/crackers/e-vandals but a secure box isn't as far fetched as a clean install of OpenBSD or even running Titan on your clean install of Solaris.
Sorry to say but slackness is to blame when dealing with situations like this. Never... Wait no... NEVER have I had to worry about recovering a "cracked" box since it'd been secure from the get.
Someone root me so I can have fun creating my own docs...
sil@deficiency.org www.deficiency.org
sil@antioffline.com www.antioffline.com