With dnsmap I’ve discovered 9 subdomains that are belonging to the Official Website of the Beijing 2008 Olympic Games. Let’s try to  find some juicy info

#dnsmap beijing2008.cn

dnsmap - DNS Network Mapper by pagvac
(http://ikwt.com, http://foro.elhacker.net)
Searching subhosts on domain beijing2008.cn

files.beijing2008.cn
IP Address #1:58.68.168.159

images.beijing2008.cn
IP Address #1:79.140.81.19
IP Address #2:79.140.81.33

mail.beijing2008.cn
IP Address #1:202.96.53.43

photo.beijing2008.cn
IP Address #1:61.135.189.65

search.beijing2008.cn
IP Address #1:61.135.189.89

smtp.beijing2008.cn
IP Address #1:202.96.53.40

www.beijing2008.cn
IP Address #1:79.140.81.56
IP Address #2:79.140.81.59

www1.beijing2008.cn
IP Address #1:61.135.189.205

www2.beijing2008.cn
IP Address #1:220.181.69.139
IP Address #2:220.181.69.137

9 subhost(s) found

TrueCrypt is a software system for establishing and maintaining an on-the-fly-encrypted volume (data storage device). On-the-fly encryption means that data are automatically encrypted or decrypted right before they are loaded or saved, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys. Entire file system is encrypted (e.g., file names, folder names, contents of every file, free space, meta data, etc).

New features:

* Parallelized encryption/decryption on multi-core processors (or multi-processor systems). Increase in encryption/decryption speed is directly proportional to the number of cores and/or processors.

For example, if your computer has a quad-core processor, encryption and decryption will be four times faster than on a single-core processor with equivalent specifications (likewise, it will be twice faster on dual-core processors, etc

* Ability to create and run an encrypted hidden operating system whose existence is impossible to prove (provided that certain guidelines are followed). For more information, see the section Hidden Operating System. (Windows Vista/XP/2008/2003)

* On Linux, TrueCrypt now uses native kernel cryptographic services (by default) for volumes encrypted in XTS mode. This increases read/write speed in most cases. However, the FUSE driver must still be used when the volume is encrypted in a deprecated mode of operation (LRW or CBC), or when mounting an outer volume with hidden-volume protection, or when using an old version of the Linux kernel that does not support XTS mode. (Linux)

website: http://www.truecrypt.org

Just a simple iptables script for a standalone mail,web,dns server.

Here’s the code in a readable mode:

www.cryptolife.org/code/easyfire/firewall.txt


#!/bin/sh
IPT="/sbin/iptables"
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/ip_forward
#modules
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
# Enable free use of loopback interfaces
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Input policy
$IPT -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
TCP="22,25,53,80,123,443,993"
UDP="53,123"
$IPT -A INPUT -i eth0 -p tcp -j ACCEPT -m multiport --dports $TCP -m state --state NEW
$IPT -A INPUT -i eth0 -p udp -j ACCEPT -m multiport --dports $UDP -m state --state NEW


The average person thinks that deleting the files or even formatting the hard-drive and removable devices is enough to make data unrecoverable. This is a common misconception, in fact deleting a file does not delete any information but just the pointer that the operating system uses to build the file and the directory structure. Deleting those pointers, only changes the file status which become invisible to the operating system but it is still there (on the hard drive) until it is not overwritten by another file or done with a dedicated wiping software. With sophisticated forensic techniques it’s still possible to determine which wiping tools have been used or which file name was deleted. In this post I will show you how it’s possible to recover (in a few minutes), some deleted files from a common usb key. After downloading the software PhotoRec (for linux) we can plug our usb key (where previously we have copied and deleted some files and even formatted the key) and then move in the directory /testdisk-6.9/linux , where you will find the binary called photorec_static .

type ./photorec_static and follow the instructions

screenshot 1
screenshot 2
screenshot 3
screenshot 4
screenshot 5
screenshot 6
screenshot 7

After that, the process is over, I’ve moved in the dir recup_dir.1 where I’ve found 2 files recovered from the usb key; one is the txt file where I’ve written some fake usernames and passwords and the other is Advanced Bash-Scripting Guide .pdf, just the ones that I’ve copied and deleted from the key before that I’ve started the test. Scary ?

To avoid the leak of your sensitive information through a data recovery, there are several programs available to overwrite entire hard disks, usb keys, or single files to make them unrecoverable with data recovery techniques.

for Linux:
dban.sourceforge.net
wipe
secure-delete
shred

for Windows:
www.fileshredder.org

for Mac:
Secure Empty Trash
Eraser Pro

Before selling or giving away an old computer, hard drive or lending out your usb key, just think about how much juicy information can be recovered.

Note: you can use this commands to grab and store in a different location the file previously recovered .


find recup_dir.* \( -name \*.bmp -o -name \*.gif -o -name \*.png -o -name \*.jpg \) | xargs -I '{}' mv {} /media/disk/recovery/img


find recup_dir.* \( -name \*.mp3 -o -name \*.avi -o -name \*.mpg -o -name \*.swf \) | xargs -I '{}' mv {} /media/disk/recovery/multimedia


find recup_dir.* \( -name \*.pdf -o -name \*.xls -o -name \*.doc -o -name \*.txt\) | xargs -I '{}' mv {} /media/disk/recovery/doc


Just a few days ago I’ve wrote about how to protect sensitive data on the hard drive and other storage devices. But during the weekly meeting of “razmjenavjestina“, I’ve been warned (from one developer of luks) about a new attack that can easily dump the encryption key used by products such as Windows Vista BitLocker,Linux truecrypt, linux dm-cryp and Apple FileVaul. The concept of the attack doesn’t work on the encryption directly, but on the weakness of some computers to wipe the data when they boot up.

This attack is based in the fact that the encryption key for the HDD is stored in RAM while the computer is running, shutting down or restarting the computer should wipe off the data of the DRAM. But the princeton research team have found that the data is retained for seconds or minutes after the computer is powered off.

They also found that by freezing the memory chips with liquid nitrogen found in a can of air , they could get the data to remain in memory easily for as long as ten minutes, and often longer. Then the researchers have plenty of time to remove the ram and place it in another computer and dump the encryption key, with the appropriate software.

Here there’s the papers and the video that explain the proof of concept:
http://citp.princeton.edu/memory/

Solutions: I regret to say that at the moment there’s no simple method or mitigation for this attack.

I’ll try to keep this post update with the latest news, contributions will be appreciated .

Bruce Schneier point of view: Cold Boot Attacks Against Disk Encryption

It is always a good idea to encrypt your sensitive data and files, so no one can read and access them without your password or other authentication methods. Financial, medical and other personal files are stored on people’s computers carelessly without regard to privacy and consequent risk of leakage, theft or loss. There’s many software applications that can encrypt files and folders, but my choice goes to truecrypt, an open-source and multi-platform application that uses strong, tried and tested algorithms.

Truecryp features:

* Creates a virtual encrypted disk within a file and mounts it as real disk drive. Encrypts an entire hard disk partition or a device, such as USB flash drive or other storage devices ipod,PDA,etc).
*Ciphers supported are AES, Serpent and Twofish. It also allows different combinations of cascaded ciphers (ie AES+Twofish, Serpent+AES, or AES+Twofish+Serpent)
*Supported by Linux, Mac OS X and Windows.

I’ve been using truecrypt for a long time from the command line, But a few weeks ago version 5.0a was released with a great gui for Linux. I’ve dreamed so many times for this day, a real gui that allows you to create virtual encrypted disks and mount them ( xubuntu 7.10 gusty gibbons ) the new version of truecrypt; to begin you can start with going on the truecrypt web site and browse in the download area. You will find the Linux version ubuntu (x86); just download it and decompress, then go in the truecrypt_5.0a directory which is located the .deb package.


type: sudo dpkg -i truecrypt_5.0a-0_i386.deb [sudo] password for
crypto: Selecting previously deselected package truecrypt. (Reading
database … 125274 files and directories currently installed.)
Unpacking truecrypt (from truecrypt_5.0a-0_i386.deb) … Setting up
truecrypt (5.0a-0) …


at this point truecrypt is installed in the system. from the terminal; just type “truecrypt” and the gui will appear.

Happy encryption.

Sometimes we need to allow other users to connect remotely to our servers with ssh. The are many different reason to do that; people that want to read their own email with mutt or using their own favourite irc client or whatever. In this situation the users can easily gain access to sensitive files such as: passwords or other files/directories that are accessible to any person with an unrestricted shell just using the cd command. After searching around, I’ve found ibsh (Iron Bars Shell), that allows you to create a restricted environment where the user can not step out of his home directory (jail), the user can not access any files outside his jail; the user may execute only those commands, which the sysadmin lists in the appropriate configuration file and ibsh automatically logs the activities of the user to syslog.

After downloading the .deb package from ibsh.sourceforge.net , we can proceed with the installation:

debianmaster:~# dpkg -i debian_ibsh.deb

we can add a user just for a test:

debianmaster:~# adduser test

in /etc/password - we must change the default shell for the restricted user from bash to ibsh

example:
test:x:1001:1001:,,,:/home/test:/bin/bash
to
test:x:1001:1001:,,,:/home/test:/bin/ibsh

First we need to add the following command in order to exit and logoff from the session,

in /etc/ibsh/globals.cmds

#globals.cmds
logout
exit

then later we can add other commands like:

mutt,gpg,links,ping,irssi.

Now I’m able to connect to the linux box with the restricted user. After the login I’ll find a command prompt like this ” [/]%” , trying to do some bad things like cd /etc or wget url://exploit, the prompt will warn me:

[/]% cd /etc ibsh: cd: /home/test/etc: No such file or directory and

[/]% wget http://exploit Sorry, can’t let you do that!

Some other useful commands to add to /etc/ibsh/globals.cmds

mkdir,ls,cd,vim etc etc.

IBSH is not the ultimate tool for restricted shells but is a good step to start securing your linux server.

Suggestions and comments are welcome.