Wed, 05 Mar 2008

Speed up Windows with... encryption !!?!

I was listening to the Security Now! podcast yesterday, where Steve Gibson talked about the latest release of TrueCrypt. I've had great experiences with TrueCrypt in the past, and Steve seems to have nothing but good things to say about it as well.

The most fascinating thing that he mentioned was that in his benchmarks (which entailed restoring a very fragged XP image, then running a batch script which used ntimer to clock the windows defraggers and vopt), Windows ran significantly *FASTER* when fully-encrypted with TrueCrypt, than without.

So it seems that the TrueCrypt guys have created drivers that not only encrypt/decrypt your data seemlessly on the fly, but are actually quite faster than the default Windows drivers. Amazing.

I haven't tried to reproduce this locally, as I try to avoid firing up my Windows vm guest at all costs. However, I'm interested to hear if anyone else notices this dramatic performance boost that Steve talks about when using TrueCrypt5 in Windows.

posted at: 16:46 | link | Tags: , , , | 2 comments

Thu, 25 Oct 2007

Shiny new Security LiveCD

The Fedora-based security livecd that I created a little while back is coming along quite nicely. I have yet to submit it to become an officially blessed Fedora spin, mainly because I didn't want it to be Yet Another gnome-based livecd with a bunch of extra packages shoved into it. If we're going to try and even remotely compare to existing livecds such as backtrack, we're going to have to try a little bit harder :)

I've gotten multiple requests from people asking for a minimal security livecd, with something a bit slimmer than GNOME, preferably *box. Being a proud openbox user for the past 6 years -- I gladly complied. So, the other day on the bus ride home from work, I re-based the spin against the minimal configuration, and tweaked out the openbox configuration quite a bit.

The default openbox menu contains a few boilerplate entries, most of which are for applications that don't even exist in a default Fedora install. I went ahead and threw together a menu that is categorized by the type of security tool in the spin. I also wanted the ability for users to have access to the same menu entries as our default GNOME menu. To accomplish this, I hacked up a dynamic openbox pipe menu, which generates the same menu hierarchy as the GNOME application menu, on-the-fly :)

#!/usr/bin/python -tt

import gmenu

def walk_menu(entry):
    if entry.get_type() == gmenu.TYPE_DIRECTORY:
        print '<menu id="%s" label="%s">' % (entry.menu_id, entry.get_name())
        map(walk_menu, entry.get_contents())
        print '</menu>'
    elif entry.get_type() == gmenu.TYPE_ENTRY and not entry.is_excluded:
        print """
            <item label="%s">
              <action name="Execute">
        """ % (entry.get_name(), entry.get_exec())

print "<openbox_pipe_menu>"
map(walk_menu, gmenu.lookup_tree('').root.get_contents())
print "</openbox_pipe_menu>"

Patches/comments/suggestions/criticism welcome! See the SecurityLiveCD wiki for more details on how to spin your own and get involved.

posted at: 05:00 | link | Tags: , , , | 8 comments

Thu, 28 Jun 2007

project honey pot

I recently found out about Project Honey Pot, and added one to every site that I run (they offer scripts in a plethora of languages). So far, has helped identify 7 spam harvesters.

If you run any websites, I definitely recommend checking the project out.

Stop Spam Harvesters, Join Project Honey Pot

posted at: 06:42 | link | Tags: , , | 64 comments

Sat, 19 May 2007

Security LiveCD

So last week I created an initial version of a potential Fedora Security LiveCD spin. The goal is to provide a fully functional livecd based on Fedora for use in security auditing, penetration testing, and forensics. I created it as a bonus project for my Security Auditing class (instead of following the 5-pages of instructions on how to create a Gentoo livecd that she handed out (mad props to davidz for creating an amazing LiveCD tool)), but it has the potential to be extremely useful and also help increase the number and quality of Fedora's security tools. I threw in all of the tools I could find that already exist in Fedora, but I'm sure I'm missing a bunch, so feel free to send patches or suggestions. I also added a Wishlist of packages that I would eventually like to see make their way in Fedora, after the core->extras merge reviews are done.

I would eventually like to see Fedora offer a LiveCD that puts all of the existing linux security livecds to shame. We have quite a ways to go, but this is a start. I'm taking a computer forensics class next quarter, so I will be expanding it to fit the needs of our class as well.

posted at: 19:15 | link | Tags: , , , , | 0 comments

Wed, 02 May 2007

Creating a Fedora Security Live USB key

Here is how to easily create a security-distribution based on what will eventually be Fedora 7. This requires that you be running FC7Test* or rawhide, as the livecd-tools are not currently available for FC6.

Prepare the USB key
You may not need to do this for some USB sticks, but I had to remove all partitions on my Cruzer Micro and format the whole thing as vfat to get it to boot. Make sure to change /dev/sdd to your USB device.

# mkfs.vfat -I /dev/sdd
Spin the livecd
# yum install livecd-tools mercurial
$ hg clone
$ cd security-livecd
# ./

Copy the ISO to your USB stick

# livecd-iso-to-disk Fedora7-SecurityLiveCD.iso /dev/

Interested in helping make the Security LiveCD better? See the SecurityLiveCD wiki for more information.

posted at: 06:24 | link | Tags: , , , | 44 comments

Mon, 14 Aug 2006

firefox's new <a ping> vuln^H^H^H^Hfeature

As seen recently on slashdot, one of the latest trunk builds of Firefox contains support for the ping attribute on anchor and area tags (spec). Ideally, this feature will allow websites to contain links such as:

<a href="http://foo" ping="http://bar">biz</a>
After looking into it a bit more, I found a way to trigger a user's Firefox to SYN flood any given host upon clicking a link.
<script language="JavaScript">
    document.write('<a href="http://foobar" ping="');
    for (var i = 0; i < 1000; i++)
        document.write('URI ');

When clicked, the link will cause the client to kick 1000 SYN packets over to the specified ping URI without hesitation. This feature is present in Firefox > 1.6a1, and is enabled by default. You can disable this in about:config by flipping off the browser.send_pings boolean. I filed a bug upstream about this issue, and supplied a patch to de-dupe the ping URI list (which might actually not be the best solution to this problem (limiting the number of ping URI's, or kill the pings when the page is left, or the stop button is pressed might be better solutions), but it is still under discussion).

posted at: 18:49 | link | Tags: , | 1 comments