(horriblydated) Unix and Network Security Resources

I've been interested in the concept of "computer security" for a while -- although my attitudes have changed over the past decade. I've found that it's just as much fun to repel talented intruders hunting that elusive uid zero as it is to be one :-)

• Groovy security tools
• Useful links
• Other stuff
• My tools

Good security tools

• Nessus, a module-based, open-source security scanner. A very complete tool, but what makes it truly krad is the NASL programming language that facilitates the creation of new modules.
• hping. a ping-like tool that allows you to construct arbitrary packets, send them to a host, and print the reply. hping can be used as a scanning tool like nmap (below), but it brings the user a little closer to the wire than nmap.
• PacketFactory's ngrep. network-level grep'er. Instant password sniffer. (ngrep -iq 'user|pass' tcp). Yeek.
• xinetd - a nice replacement for the aging inetd. Built-in access control, rate limiting, and other goodies.
• Snort. A lightweight network intrusion detection system (NIDS), snort gives you, the harried sysadmin, visibility into what kind of krad hack attempts being targeted at your network.
• Nomad Mobile Research Center. Home of nifty stuff like nmrcOS.
• Immunix, home to StackGuard, a gcc hack that makes buffer overflows far less trivial to exploit.
• FreeS/WAN. Foil wiretappers -- federal and criminal alike!
• Whatcha gonna do when they come for you? COPS. bad hacker, bad hacker..
• Wietse Venema's FTP archives. Home of the tcpwrapper package, a program designed to enable user@host -based access to various TCP and RPC services. Highly recommended.
• pidentd -- aka the "identification daemon". Answers the "who is talking to me?" requests sent by programs such as tcpwrapper. Be a good net.neighbor and install it today. Unfortunately, sometimes identd can give away some information. (but this sort of activity is easy to detect.)
• ssh - the Secure Shell remote login package. Drop-in replacement for rsh/rcp/rlogin which encrypts network sessions, and inhibits IP and DNS spoofing.
• tcpdump - log packets as they fly across the local network. Essential tool in constructing network analysis & intrusion detection engines.
• Casper Dik's Solaris tools -- some useful programs such as fixmodes (fixes broked solaris 2 file/directory modes) and mountd (slightly more secure NFS mount daemon), among others.
• Crack 5.0. Alec Muffett's phenomenal password cracker.
• Leendert van Doorn is the author of some nifty NFS tools - nfsbug, which does a nice & simple security audit of a NFS server, and nfsshell, a handy little tool to show how dangerous NFS can be. Nail down your portmappers! Restrict your mount daemons! sigh..
• Fyodor's "net-mapping" tool nmap All you ever wanted in a portscanner -- connect() scanning, rpc scanning, half-open/stealth scanning, ICMP probing, all in a nice little package.
• While not a security tool per se, Hobbit's NetCat (aka 'nc') tool is quite handy for manipulating sockets in the shell (local copy, since avian.org seems to be gone..)

Some useful computer security links & papers

• Basic Steps in Forensic Analysis of Unix Systems. Been hacked and want to know what's happened? Start here.
• Runtime kernel kmem patching. urp.
• COAST's Projects and their UNIX tools archive.
• CMU's Computer Emergency Response Team. Founded after the release of the Internet Worm (1988), CERT attempts to distribute warnings about computer security problems. Yes, their warnings are often months to years out of date, but the fact that they exist is at least a start.
• You're in trouble now - Dan Farmer's site; interesting paper on the state of Internet security.
• If you're a UNIX or TCP/IP network administrator and you haven't read Dan Farmer's and Wietse Venema's Improving the Security of your Site by Breaking Into it, then you really, really should. This is an ancient paper, but still remarkably topical..
• Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection, or why developing successful IDS can be a real pain in the ass. Don't count your SYNs before they're ACK'd ...
• Phrack Magazine -- the longest running hack/phreak journal around.
• Secure Networks, Inc. Makers of the Ballista auditing tool (light years ahead of its nearest competition, ISS). They've since sold out to fear-mongering motherfuckers. (ahem. Well, those commercials *are* pretty tabloid.)
• distributed.net -- got a key to crack? Why not use the idle time of a few million computers? Just think if this was applied to something really "secret"..
• Default Password Database.

• Thank you for using Kevin Mitnick

  I have a fantasy. In my fantasy, John Markoff bursts into a room where Tsutomu Shimomura sits as solemn as a zen master, peering impassively at a computer screen while he types a Perl script. "Tsutomu, I have good news and bad news!" Markoff exclaims. "The good news is, we sold the book rights for three-quarters of a million. The bad news is, I haven't got a clue what Mitnick was doing for the past two years. What the hell are we going to write about?"
  
  Shimomura doesn't even bother to look up. He gives a barely perceptible shrug and says, "Me, of course."

  -- The Mad-Scientist Myth figure from the Kevin Mitnick Shack

Obligatory Rant

Beware the self-aggrandizing, newly-script-gifted "security expert" who, because they can run a program that gets them root on your systems, suddenly become all-powerful and all-knowing. There are many frauds and charlatans in the computer security community -- and I'm not referring to reformed or "grey-hat" hackers; I'm referring to those people who have either the audacity or delusions of granduer to convince clueless ISPs, AOL-rejects, and the media that they are "computer security experts."

If you are talking to someone who claims to be a computer security expert, or who claims to know "alot" about computer security, ask them to prove it. If they're waving around some exploit script they dug up, ask them to explain to you how the program works, and how it can be fixed. (Granted, if you're not a technical person, you won't be able to distinguish fact from fiction. If this is the case, find someone who can.)

Ask them what they have contributed to the computer security community -- underground or aboveground. Ask for references. Ask for papers. Ask for URL's. Do a web or USENET search. If they've been around for any length of time, you should be able to find something.

Think about it: is an "expert" someone who is well-versed in a field of study, or are they someone who knows something that you don't?

$Id: index.html,v 1.2 2001/05/01 08:17:18 jwa Exp $