OMG this is awesome. This should be the companion image to the BOFH literature.

I’ve just posted my latest study piece. This one’s on Unix/Linux permissions.

[ Link: Unix/Linux Permissions ]

A collection of open source tools — all configured to work together. Very interesting concept. Here are a few that it has.

• Arpwatch, used for mac anomaly detection.
• P0f, used for passive OS detection and os change analisys.
• Pads, used for service anomaly detection.
• Nessus, used for vulnerability assessment and for cross correlation (IDS vs Security Scanner).
• Snort, the IDS, also used for cross correlation with nessus.
• Spade, the statistical packet anomaly detection engine. Used to gain knowledge about attacks without signature.
• Tcptrack, used for session data information which can grant useful information for attack correlation.
• Ntop, which builds an impressive network information database from which we can get aberrant behaviour anomaly detection.
• Nagios. Being fed from the host asset database it monitors host and service availability information.
• Osiris, a great HIDS.

(thanks to Average Admins for the find)

You might be saying no such thing exists, but I beg to differ. I’ve dumped XP as a Windows platform. I now use it only when something specifically requires it (which isn’t often).

I prefer to use Windows Server 2003 as a workstation instead. Why? Mostly because of raw socket limitations. I hate the fact that security software is hit or miss on XP. I simply lack the time to worry about whether or not XP will gimp up a given security tool.

So I’ve just built my latest Windows VMware image (for Outlook, Word and Visio) using Server 2003. Office 2007, by the way, is awesome. I very much like the ribbon concept, as well as the other more subtle improvements. And Office 2007 runs great on Server 2003, so this is a good thing.

It’s become very clear to me that XP is an OS designed for the masses. It’s edges have been rounded so that people don’t cut themselves, which is unfortunate since I was actually using them to get work done. Luckily for me there’s another Microsoft platform that runs Office, and until the next version of server comes out this is what I’ll be running as my Windows “desktop”.

When apt your package manager is prompting you regarding an install decision, like so:

Do you want to continue [Y/n]?

Just press enter. The “Y” being capitalized means it’s the default. :)

I think we all know this, but so many of us still type the “Y” out of habit. This is my attempt to free you from doing so.

I just finished getting Mail.app to recognize two seperate SSL certs from my server — one for imap.dmiessler.com, and another for smtp.dmiessler.com. This was less than trivial (mostly due to my own stupidity).

What this means is that I can finally use real domain names in my certificates (self-signed) for two separate hostnames while avoiding the annoying prompts that OS X likes to throw when it senses tomfoolery.

Here are the steps:

• Create your Postfix certificates the way Weitse wants you to, using your SMTP hostname.
• Import both the CA cert and your actual Postfix certificate into OS X.
• For IMAP, edit your imapd.cnf file to reflect your IMAP hostname, etc.
• Run mkimapdcert.
• Import that certificate into OS X.

Now when you open Mail.app you should not get prompted to accept any certificates. The trick is that you need to import the CA’s cert on the Postfix side or it won’t work. But with courier this is not required. It has something to do with the format of the certificates being different.

It’s on my list of things to research, but for now I’m just happy I got it working exactly as I want it.

Being an information security consultant I am often asked how to balance the need for online passwords that are both hard to guess and easy to remember. There are a number of solutions out there for dealing with the problem, but the system that I’m about to outline below is an elegant hybrid of simplicity and security. It works for me, and I think it can work for you as well.

The Problem

The main issue we’re all grappling with is the number and complexity of the passwords we need to remember. Ideally, we would never share a password between any two sites. They would all be different and at the same time highly complex. Unfortunately, this doesn’t mesh well with reality. The human brain just isn’t up to the task.

Simplification Through Classification

The way we get around this limitation is to classify our online accounts according to risk. In other words, we’re going to determine how important each of our accounts are, and then put them into one of three (3) groups. For the purposes of this article we’ll use the military classifications.

1. Top Secret
2. Secret
3. Confidential

Next we’ll simply group your Internet account types into each of these categories:

• Top Secret Banking, brokerages, financially or identity-oriented sites. Think about your social security number and other sensitive personal data. Any accounts of this nature you want to protect with your strongest layer of security.
• Secret Personal email, blogging sites, important forums, etc. These are your main accounts that you use on a day-to-day basis. They aren’t ultra-sensitive, but they a huge part of your life and need to be secure.
• Confidential Product forums, mailing lists, etc. These are your low-risk accounts, meaning that if one were to be compromised it would be annoying but not a major problem. We’re still going to have relatively strong passwords here, but they’re going to be simple in comparison to the two higher levels.
** Also keep in mind whether or not a site supports encrypted logins or not when assigning your accounts to these groups. Never put an account into the top two groups (Top Secret or Secret) if that site doesn’t support encryption. We don’t want someone possibly intercepting one of your upper-level passwords.

Designing Our Password Schemes

Ok, now that you have your accounts grouped properly it’s time to design our three password systems. We’ll start with the Top Secret:

Level 1 — Top Secret: For this level we’re going to use a combination of upper-case, lower-case, numbers, and special characters. We’re also going to make the password at least 12 characters in length. You will be writing these passwords down on a card in your wallet or purse, so it doesn’t matter if you can’t remember the password at first. After you use it a few times it’ll become second nature regardless of how complex it is. Try something like this:

5PF.c9a8>12!

It looks pretty scary, but you’d be surprised how easy it is to remember once you type it a few times over a number of days. The point is that it’s not going to be guessed, and it’s not going to be tied to another account. If you absolutely have to, you can use a sentence algorithm to build the password, like so:

My Online Bank Password Is Not Simple To Guess At All, Julie.

M0bP1n5tGAAJ.

You will be writing these passwords down on a card in your wallet or purse, so it doesn’t matter if you can’t remember the password at first. After you use it a few times it’ll become second nature regardless of how complex it is.

One point on writing down passwords: Many people think this is a bad idea, but that fully depends on how you secure them once their written down. Sticky note on monitor? Bad. Wallet? Good. You have to balance the risk of strong passwords in your wallet vs. weak ones in your brain.

Regardless of the scheme you use to create your passwords, you want them to be a) pseudo-random/highly complex, b) over 10 characters in length, and d) absolutely unique. In short, we don’t want someone with your brokerage account password to be able to log into your bank with the same credentials.

Level 2 — Secret:

With the secret level accounts we’re going to introduce an aspect of simplicity/usability. We’ll do this by creating an algorithm for creating and varying passwords for various sites while still maintaining the appearance of randomness within each individual password.

In short, all level 2 (Secret) passwords will be generated by the same algorithm. As such, they’ll look very similar to you, but will look like random garbage when viewed independently by an outsider.

So let’s build your Level-2 (Secret) algorithm; we’ll use a Gmail account as a template:

[This is just a sample algorithm; you should make your own.]

1. First two letters + last letter of the account. GML
2. Add the three letters up and subtract your birthday. G (7) + M (13) + L (12) = 32 – 15 (if you’re born on the 15th) = 17 GML17
3. Add the two numbers you made to create a third number. 17 = 1 + 7 = 8 GML178
4. Add a word for length. Use character substitution for complexity if you want. GML178H0lid4y
5. Add special characters. !GML178H0lid4y#
6. Scramble as desired. !H0lid4y#GML178#

You now have a very solid password for your Gmail account. But it gets much better than that. You’re using the same algorithm for all your level 2 accounts. So do the same for your Hotmail account and you’ll end up with:

!H0lid4y#HOL358#

Level 3 — Confidential:

For our lowest security level (3) we’re going to use an algorithm similar to the secret level (2), only it’s going to be completely different and much simpler. Remember, these are your unimportant accounts; you wouldn’t want them to be compromised, of course, but if they were then it wouldn’t be that big of a deal.

Let’s make a level 3 algorithm for a site called cars.com:

1. Last letter then first letter of the site (cars). SC
2. A word to be used for all your low level accounts. Add a single character of number substitution (i to 1) SCPubl1c
3. Use a special character. SCPubl1c$
4. Scramble as desired. $Publ1cSC

Again, you now have a decent password that’s not easy to guess and will give a bit of difficulty if someone gets one and tries to guess others. Of course, if they get one of these level 3 passwords and try to break your Secret (2) or Top Secret (1) passwords, they’ll be unsuccessful.

Conclusion

Using this system can increase both security and usability when working with multiple accounts online. Here are a few additional guidelines about this technique and passwords in general:

• Vary your algorithm for level 2 and 3 accounts regularly (I recommend at least once a year)
• Memorize your algorithm and write down your passwords on a card in your wallet. Don’t write down the algorithm itself. Just seeing a password created with it should jar your memory.
• For an extra layer of security you can consider leaving out or modifying a crucial part of the passwords you write down. This way, even someone with the card will not be able to use it. Be warned that if you forget what you changed, however, you’ll be very upset.
• Change your level 1 passwords often as well. With the strength that we’re using in this article I’d advocate once every 6-months.
• Many also use what’s effectively a level 4 account, i.e. a throw-away password that is used for accounts even lower in importance than level 3. Usually this is a static password. Just be sure to be very selective about where you use such a password, and make it as complex and long as possible while retaining its benefit of simplicity.
• An encrypted database is another option for managing passwords. I advocate this method over that one due to issues with losing or damaging the portable storage that the DB is stored on, in addition to not being comfortable with using such a system on a foreign computer (where necessarily you open ALL of your passwords to the system being used). It’s really a matter of personal preference, however, as both systems have their strengths and weaknesses.

I hope this has been useful. For any questions or comments, please feel free to contact me directly.:

Just as a refresher, here are a few things you can get here at my site:

1. A blog to read.
2. Some primers and articles.
3. A way to check your external IP address.
4. Very accurate time (HTML).
5. A solid time server (204.11.219.126 UDP 123).
6. A solid DNS server (204.11.219.126 UDP 53).
7. A friend.

So I made it to the front page of reddit today and my new server didn’t even blink. This brings me great joy.

Have you ever been in Linux and wanted to watch how much bandwidth was going in and out of your box? Most have, and here’s a very simply way to do it without a GUI or installing anything extra:

# watch -n1 "ifconfig eth0 | grep Mb"

RX bytes:105209490 (100.3 Mb)  TX bytes:448524558 (427.7 Mb)

What you end up with is a counter of your current bandwidth usage that gets updated every second. It’s not sexy but it gives you a decent feel for how much action your NIC is seeing.

Just change your network interface in the grep bit to the one you want and you’re all set. Oh, and if you’re using Debian or Ubuntu, you may want to try grepping for “Mib” instead of “Mb”.

Enjoy.: