Unattended updates in Ubuntu Linux

A key measure to keep our IT boxes in a healthy state is to regularly update the operating system and applications. This simple measure could save us from the "low-hanging hacks". Let's take this statement and link it with the fact that automation in IT is worth-considering. The following lines provide some tips on how to automate the software upgrade process that, otherwise, would require typical manual steps such as these ones:

- For a complete update:
$ sudo apt-get update
$ sudo apt-get upgrade

- For a specific update
$ sudo apt-get install package-names

There is a nifty package in Ubuntu Linux called unattended-upgrades that would do the magic for us, as mentioned in this Ubuntu Help page. The command line I would highlight from that page is:

$ sudo dpkg-reconfigure -plow unattended-upgrades

The AskUbuntu community also provides juicy input for this. In this case, I highlight the following steps I extracted from the AskUbuntu page:

- Uncomment the Ubuntu packages to be installed silently, mainly security patches and updates. This is also the place to prevent any package from being silently upgraded by using the Package-Blacklist section:

$ sudo gedit /etc/apt/apt.conf.d/50unattended-upgrades

- The command line to check whether things are OK is this one:

$ sudo unattended-upgrades --dry-run and --debug.

- The line to check whether the upgrades are really taking place:

$ tail /var/log/unattended-upgrades/unattended-upgrades.log

Finally, for those using Google Chrome, it can also be included in this silent process with the info provided by this AskUbuntu page:

$ sudo gedit /etc/apt/apt.conf.d/50unattended-upgrades

and adding

 "Google\, Inc.:stable";

 in the Unattended-Upgrade::Allowed-Origins section of the

etc/apt/apt.conf.d/50unattended-upgrades file.

Nothing to do with Ubuntu, however, the way to silently update Java in Windows 7 using Powershell and VisualBasic is explained in this Superuser page. The security catch with this one is that the Task Scheduler would need to save the admin password in order to run the silent update.

Good to keep the house updated!

 Happy silent updating!

Security site to bookmark: www.reddit.com/r/netsec - The IT Security global bulletin board on the Internet

Wikipedia reminds us that the Agora was a meeting place, an open space, the center of commerce, culture and political life in Ancient Greece. The section in reddit.com devoted to information technology security, located at reddit.com/r/ netsec, is the agora of our security community and profession. The place to visit to stay on top of the security news, both politically correct and incorrect.

Since its foundation in 2005, reddit became the global Internet bulletin board, especially for US-based users, living up the role that the "Bulletin Board Systems" (BBS) played in past decades. As an example of the relevance and currency of reddit net sec articles, the same day that Cisco has announced the purchase of Sourcefire, on July 23, 2013, a user on reddit (they are called "redditors") shared the piece of news in reddit.com/r/netsec. Reading the comments shared on reddit posted by users after reading the news hints the so important "market sentiment". It is comparable to follow a related "hashtag" on twitter.  

This network security section in reddit links to related subsections. For example, the social engineering, computer forensics or reverse engineering pages are valuable. The popularity of this site makes it an optimal site to witness and to participate in fruitful conversations between Information Security professionals (itsecuriteers) on technical, organizational and business-related topics. Anyone asking questions can receive interesting and alternative answers. Noteworthy is the link to a jobs site. While most positions are based in the U.S., there is a growing number of postings for positions in Europe and to work remotely.

Finally, there is also a place for those who starting in this field: The academic discussion forum (e.g. the "2013 Q3 Academic Program Thread"). There, students post their evaluations regarding
security degrees and training courses. 
A wise piece of general advice given by reddit.com to those who want to post news or comments is to avoid creating unnecessary conflict: Something that we can also apply almost in any aspect of our lives.

Sometimes there is no room to manoeuvre

You can also read this entry in Spanish here.

Happy redditing!

Book Review: Ninja Hacking by Thomas Wilhelm and Jason Andreas

Every now and then I share with the readers my views on a specific security related book. This time the title I scanned through is "Ninja Hacking: Unconventional Penetration Testing Tactics and Techniques". In a nutshell, this is a book for those who would like to get introduced into the world of security and insecurity. Especially those who also enjoy martial arts. However, this book does not target specifically at technical IT security professionals. Here you are a biased and telegraphic view:

chapter 1
It starts with the disclaimer that this is not a usual pen testing book. It includes
a reference to ancient feudal Japanese tradition: ninjas and samurais, the documented and the undocumented side of war and military strategy. It mentions how the public image of ninjas was negative. Stealthy reconaissance was a ninja technique. The authors establish a parallel between ninja codes and weapons and unusual pen testing.

chapter 2
This chapter links pen testing with Ninjitsu. They mention arts such as espionage and unconventional warfare. The authors propose that while white hats use methodologies to perform pen tests, ninjas take alternative paths. Important detail: ninjas move undetected.

The difference between white and black hacking is system owner permission. The description of grey hat hackers in this book is somehow confusing: they use illegal attack methods without hacking the spirit of the law?

All in all, 17 chapters for those readers willing to get an initial flavour of what insecurity means today. A light appetizer for a non-technical audience before embarking on more robust references.

Ninja "security" turtles?

A new lecture by Robin Dreeke on Social Engineering - Earning trust

In the past February 2013, the Social-Engineer.org crew interviewed again the behavioural and rapport builder expert Robin Dreeke. The podcast can be found here.

Robin Dreeke shared in this interview some input coming from a new book related to trust and empowerment. Here you will find a very personal set with some of the points he mentioned:

Empathy foundations

 - The three key questions to ask in an input-gathering conversation are how, what and why.
- Dopamine goes to our pleasure centers - our brain rewards us then.
- Getting our interlocutor to get their brain rewarded by you talking to them should be our goal.
- It is important to understand context. How can we adapt ourselves to understand their way of being?

The tribe

- We need to understand the tribe mentality.
- When we are part of a tribe, it means survivability.
- Our ancestors had the need to belong to a tribe.
- Our brain rewards us when we feel part of a tribe.
- We could use DISC to identify communication styles.
- How do we do it quickly?

Make it all about them from the psychological viewpoint

- We should not memorise anything we are planning to say.
- Proposal: Use sympathy and an artificial time constraint.
- We can practise sympathy e.g. help me find a Valentine’s day gift for my partner.
- Our conversation would identify direct individuals (people oriented persons).- If they get us to do most of the talk (then they are passive).
- Just by analysing the way they dress they will tell us whether our interlocutor is people-oriented or indirect, task-oriented or analytical.

 Demographics and culture

- One very simple technique - the easiest listening technique is have nothing to say - shut up!
- Key point: We want to validate them, we need to be focused on what they say, so shut up!
- The second we need to say something, we need to discard it!
- Example of input-gathering sentence: “I had a similar experience, tell me about yours”.
- If necessary, we can give a little bit of info but let's remember it’s about them.
- People are constantly testing how much we will accept them, if we accept them, they will tell us a little bit more about them.
- We need to become that person that will accept them unconditionally.
- We need to control our non-verbals so that we don’t reveal that we are judging them.
- It is almost as if we turn the conversation into a science experiment about people.
- One step further would be how did they decide to dress that way?
- Our focus will influence our approach, we want to know why that person
made some decisions.

Curious people

- What do we do with people who keep on asking questions?
- This is a validation coming to us.
- We could bounce it back and be conscious of the information we are giving away.
- If it keeps coming back to us, we'd better cut the engagement.
- Internet based social networks - people are constantly seeking validation - that is why people have thousands of friends e.g. in facebook.

Job interviews

- In a job interview, we'd better put in context how we can help them and their company.
- Currently, given labour market limitations, we could go back to a time constraint, e.g. "let’s run a contract o three months and you test me".
- Become fascinated about people.
- No one will hire us because of us but because of the benefits we can bring to them.
- Feel the emotion behind what you are saying.
- Positive psychology - be happy with what you are doing now.

Getting closer to the empathy palace

Happy empowering 2014!

How Things Gain from Disorder: Nassim Taleb - Applicable to Infosec?

The series of lectures by Entrepreneurial Thought Leaders by the Stanford University's Entrepreneurship Corner is always a must-visit place for those 'eternal learners' who follow these posts or these tweets.

In this occasion I highlight some thoughts extracted from a lecture that Nassim Taleb gave (@nntaleb at @edcorner) on part of the content from his book Antifragile: Things that gain from disorder. Are those thoughts applicable to our Information Security world? Let's see.

As always, a modest disclaimer: These lines by no means replace the reading of this interesting book (or, at least, the watching of the lecture at Stanford).

- The aim will be to look in our activities for a convex function of luck (and not for a concave one). This way, by producing small changes in our activities, we could be aiming at getting greater results. In other words, look for something in which if you lose, you lose small but, if you earn, you win a lot. Look for anti-fragility.

I would consider a proactive defence approach in IT Security an anti-fragile field. A series of small information security preventive and detective improvement measures can bring superior benefits. However, the endless possibilities to undergo an attack by any of the current threat actors is probably a fragile environment. A small mistake in defending against threats could lead to big losses.

- There are certain fields in our lives in which forecasts cannot be made on statistical probability (e.g. he mentions the financial world).

This statement hints an alternative view to the book I wrote titled "Secure IT Up! Cyber Insurance Due Diligence" with regards to cyber security. It cannot be completely managed based only on statistical calculations (a long collection of statistically rare cyber incidents can be a reality).

And now some adjacent wisdom pills also from the talk:

- The sponsor of an option should also have disincentives together with incentives so that, if the adventure fails, they also undergo a kind of failure.

- Be aware of those sponsors trying to hide (but not mitigate) risks from you.

This piece of advice on avoiding hiding risks is also applicable to Information Security.

- Respect and even promote the culture of subtracting (in opposition to the culture of adding): e.g. Mankind will be better off if some toxic elements are taken away (e.g. those who damage public health).

Avoiding complexity facilitates the work of the Information Security practitioner.

- Contrary to common academic views, hands-on practice leads to technology. Technology leads to science (and not vice versa i.e. science leads to technology and technology leads to practice).

This last thought deserves some reflection wearing our Infosec hat. Would we improve Infosec at a faster pace if we allocate funds initially thought for governance to secure DevOpS?

 Happy anti-fragility!

Build your anti-fragile option

Avoid untrusted Wi-Fi APs. Creating a Wi-Fi Access Point in Ubuntu.

3G is too slow for what you need to do with your smartphone?
You don't trust the Wi-Fi access points of your location?
However, you have a trusted Linux Ubuntu box with a somehow trusted Ethernet (cable-based) connection to the Internet (and a Wi-Fi card)?

Then this is the summary of the steps you need to follow to be able to use the Linux Ubuntu box as wireless Access Point.

The command lines to implement it are the following:

1. Installing hostapd:
# apt-get install hostapd
# nano /etc/hostapd/hostapd-minimal.conf
Dan Bishop's provides an example of hostapd config file. 

2. Installing bridge-utils:
# apt-get install bridge-utils
Dan Bishop's provides an example of config file.
Edit your /etc/network/interfaces config file according to Dan Bishop's reference. It will probably look similar to this:

auto lo
iface lo inet loopback
auto br0
iface br0 inet static
        address yourlanaddress
        netmask yourlannetmask
        network yourlannetwork.0
        broadcast yourbroadcast.255
        gateway yourlangateway
        bridge-ports eth0 wlan0

3. Disable the NetworkManager app by editing the config file and changing managed=true to =false

#gedit /etc/NetworkManager/NetworkManager.conf

4. Stop the NetworkManager service
#service network-manager stop

5. Re-start networking (although it is an outdated way):
# /etc/init.d/networking restart

6. Enabling Internet from the bridging box:
# ip route add default via ipaddressofyourcablerouter
# dhclient br0
More info on this on the Ubuntu documentation.

If you would like to configure the way the dhclient works, make the corresponding changes in the /etc/dhcp/dhcient.conf config file.

7. Start hostapd (-dd is the verbose switch):
# hostapd -dd /etc/hostapd-minimal.conf

Finally, if you need to revert back to the previous state:

Option 1 (clear-cut one):
Retrieve the old /etc/network/interfaces config file and uninstall hostapd and bridge-utils.
#apt-get install purge hostapd
#apt-get install purge bridge-utils

Use purge if you would like to delete also the config files. Otherwise simply use apt-get remove.

These are the 2 references used to write this post:
 - Dan Bishop's using hostapd to add wireless access point capabilities in Ubuntu
covers hostapd.
- Ubuntu documentation on NetworkConnectionBridge covers the installation of bridge-utils and how to enable Internet on the bridging box.

This last reference from Ubuntu manpages on bridge-utils provides background information on bridge-utils.

Option 2 (keeping hostapd and bridge-utils):
Retrieve the old /etc/network/interfaces config file or comment out the lines related to the bridge (normally br0) and add (or uncomment) the loopback section (actually, the only one required in that file as you are going to resume using NetworkManager).
auto lo
iface lo inet loopback

The first two lines above are required so that NetworkManager starts at boot time (as mentioned here).

And edit back the NetworkManager app by editing the config file and changing managed=true (it was = false for hostapd and briedge-utils to work)
#gedit /etc/NetworkManager/NetworkManager.conf

Finally, restart the network and the NetworkManager service (to avoid a reboot this time)

#/etc/init.d/networking restart
#service network-manager restart

... and double-check that /etc/rc.local is OK for this scenario in terms of services started or not started
(in this case, the little app bum, boot-up manager, could come in handy)

By the way, if you get the message "unable to resolve host: your host name", make sure that your host name appears in the files /etc/hostname and also in /etc/hosts.

Finally, if you would like to check that both machines, your computer and your mobile, are now part of the same lan, a very easy way to do it is:
#nmap -sP ip.address.of.your.lan.0/24

Happy browsing!

Surfing the sky!

Security site to bookmark: www.wtfuzz.com

The information security practitioners community in emerging countries is worth mentioning. The author of the blog that I recommend on this occasion, wtfuzz.com, is from India. His name is Rishi Narang. On twitter he defines himself as a consultant, author and researcher in cyber psychology and threat intelligence.

The first posts date from 2010. As of 2011, Rishi Narang writes about security at least six times a year. This no-frills blog is an example of the value of Internet as a marketing and personal branding vehicle. He published in 2013 two articles with detailed and useful hands-on content about the (in)security of session "cookies"  in renowned places like Outlook, Google, Twitter, Linkedin, Facebook and Yahoo. Both articles were accompanied by a video, a proof of concept "script" to "guess" those "cookies" and a summarizing table of the analyzed "cookies".

The three conclusions drawn from these two articles on "cookie-based" session maintenance are:

- "Cookies" need to expire on the server that sends them, at least when the session expires and, preferably, periodically.

- The preference of using HTTPS and HTTP as transport protocol.

- These session "cookies" need to be created in a truly random manner.

The popular security publication SC magazine reported the vulnerabilities that Rishi Narang found in those big Internet names and published a link to his blog. Surely he has received an invitation to share his analysis and contribute to improving the security of some of these companies' cookies or the proposal to join a web development security provider.

In short, wtfuzz.com card is an excellent presentation of an inquisitive security professional.

Outside the typical IT security, in this blog you can find a non-technical article titled "It's you and me". It was published in October 2012. It talks about human emotions and differences between women and men. Perhaps this is why Rishi defines himself as a cyber psychology researcher?

Vulnerable tower... and cookies?

Happy cooking!

You can also read this entry in Spanish.

Linux commands hodgepodge (II)

Again this post is an unusual one. The second unusual one after the first one on linux command lines. The reader will not find a series of paragraphs with a ine of thought in it but rather a collection of command lines and related telegraphic recommendations for some aspects of the Linux Universe (e.g. Ubuntu).

Happy command line experience!

- To install a debian package via command line
# dpkg -i deb package

- To list the packages we have installed
dpkg -l

- To indetify whether a package name is installed
dpkg -l | grep package name

- To get rid of configuration files from packages that are not installed anymore
dpkg --list |grep "^rc" | cut -d " " -f 3 | xargs sudo dpkg --purge

The legend of the dpkg --list output can be found here.

- To know which Ubuntu is installed
lsb_release -a

- To know which linux kernel is installed
uname -a

- To remove a debian package (leaving the configuration files)
#apt-get remove packagename

- To remove a debian package and the related configuration files
#apt-get purge packagename

- To find which files have being created in the last 24 hours
find -mtime 0

- To download a blogspot blog
wget -m http://securityandrisk.blogspot.fr

(you can also try with http://securityandrisk.blogspot.de/search?max-results=2000)

- To know the status of networking interfaces
#rfkill list

- To unlock one of them
#rfkill unblock number

- To start the firestarter firewall
#/etc/init.d/firestarter start

- To dump all traffic seen by the network interface not sent to or by your box and not part of multicast or broadcast
#tcpdump -i eth0 net 192.168.x.0/24 and not host 192.168.x.a and not multicast and not broadcast

- To identify active Internet connections (only servers)
#netstat -tulpn

- Nice and easy way to identify the networks this box has been
#grep -i NetworkManager /var/log/syslog

- To edit the scheduler in linux
crontab -e

- The basic way to use vi or vim:

To move into the text: h l j k
To replace a character under cursor with c rc
To insert before or after the cursor i a
To open a new line below or above the current line o O
To delete a character x
To undo the last command u
To select a line yy
To paste a line p P
To write and exit :wq
To toggle edit/meta mode ESC

When installing packages, you will find the config files in /etc/apt/apt/conf and the binary files in /usr/bin

- You need to define a network interface in Linux via a config file and not via NetworkManager? Then this is the location and syntax
edit /etc/network/interfaces
in the file
iface eth0 inet static

- You need to define a DNS servers in Linux via a config file and not via NetworkManager? Then this is the location and syntax

- You need to declare the name of your host via a config file? Then this is the location and syntax
/etc/hosts localhost

- You need to swith on/off a network interface in Linux via the command line and not via NetworkManager?
Then you can use ifup/ifdown or
sudo ifconfig down
sudo ifconfig up

- A quick way to become root?
sudo su -

- Need to get processes associated with a name
ps aux | grep name

- A non-elegant way to kill a process?
killall processname

- You need to get rid of the disturbing sound with typing
sudo modprobe –r pcspkr

Command lines enlighten us

Security site to bookmark: www.rationalsurvivability.com

Rationalsurvivability is Chris Hoff's personal blog. Chris is a renowned IT security architect, currently working for Juniper. Browsing his Linkedin presence, you read about the technical security and network management positions he has held in companies like Cisco, Unisys or Qualys. His career confirms the value of the suggestions he writes in rationalsurvivability.

Just the name of the blog, rationalsurvivability, hints the strategic change in information security that the author suggests. In security, rather than trying to get close to the illusion of total, or "almost total" security, the survival of our organizations should be our mission. Innovate to survive. Using a term coined in psychology, the aim should be to improve the "resilience" of the business and therefore, of their processes.

Chris's articles are not for beginners. Technology lovers who are passionate about security and are willing to challenge their views with alternative or controversial content will enjoy rationalsurvivability: An invitation to enhance the role of information security and its practitioners in organisations.

Since 2006, at least once a month, using a typical template Wordpress, Chris publishes ideas on strategic issues such as the lack of real innovation in current security solutions, creating added value through software security as a service , virtualization and complex network management software or the opportunity to improve security in organizations using cloud services.

An attractive point of his site is the variety of topics covered and the frequent link to his conversations on twitter: from a text about the differences between real and virtual firewall to a futuristic proposal on the use of social networks to interact with machines.

In an example of controversial article, Chris reiterates the intrinsic value of the security professionals community comparing security integrators with the service industry for pets: both devote too much energy to criticize, and not constructively, the industry that supports them.

Further evidence of the interest in this blog and the value of the ideas proposed are the comments left by names like Dan Kaminski, Matt Joyce or Preston Wood.

Happy survival!

Let's help business to survive

You can also read this entry in Spanish.

Whatsapp via python. Open security questions

Whatsapp is an instant messaging application for smartphones. Its popularity increases daily. From the security viewpoint, a simple piece of advice would be to use it only to communicate content you would not mind to be known by anyone else. Details about some of the security concerns can be read in the .org version of wikipedia.

I focus on this app not to pick on the lack of security (mainly integrity and confidentiality) but rather to show the instrumental role that reverse engineering and black box testing plays in assessing the security of web-based and now smartphone-based applications such as Whatsapp.

Reverse engineering the Whatsapp app and studying the packets that the app exchanges with the server (black box testing) are two ways to be able to understand how the app works and its security features.

In a python-enabled Ubuntu box, we download the Yowsup library including the command line interface named Yowsup-cli. As mentioned in reference [1], you need to construct a configuration file preferably with phone number and an IMEI code belonging to a mobile phone that, first, you own, and, second, that you didn't use before for Whatsapp.

The command lines that reference [1] proposes are:
- Requesting a code
    ./yowsup-cli -c [yourconfigfile] --requestcode sms

- Registering with the received code

    ./yowsup-cli -c [yourconfigfile] --register thecodeyourreceivedinyourphone

- Modifying the config file with the received password as shown in
reference [1]

- And you are ready to send Whatsapp messages
    ./yowsup-cli -c [yourconfigfile] -s [destination phone number] “message”

Now some security related questions:

- The config file uses an IMEI code and a phone number. As long as someone has access to those two pieces of information, what prevents them from following these steps and sending messages?

- Why instant messaging attract a myriad of users and secured or hardened systems are not so attractive?

- Would it be worthy to research the crossroad between user friendliness and information security? Certainly!
The sites I used as reference to build this post are:
[1]- Whatsapp in Linux with Python by Alejandro Pernin.
[2]- The python code by Tarek Galal hosted in github.
[3]- The command line interface page by Tarek Galal hosted in github.

Happy (in)secure messaging!

Photos also communicate