.d101010101010101010b.
d010101010101010101010P
010 010
.ib 101 S0101b.
010 010 010
101 101 101
01P C1010101010101010
1 1
[ I N T E R N E T ]
[ C A F E ]
[ I N / S E C ]
1 1
01010101010101010101010
[ VERS.: 1.3.7 - UPDATE: 31.08.07 - AUTOR: ad ]
-----------------------------------------
[ "If Nukes Would Have Brains -- ]
[ They Would Fly Away From Earth." ]
[ "When [W]ario & Dr Robotnic Control The ]
[ Earth -- Torture Will Be Their Love." ]
-----------------------------------------
I N D E X
-----------
0) paper updates
1) forword
2) introduction
3) the attackers
3.1) the operator
3.2) the user
3.3) the hacker
4) kind of attacks
4.1) inside attacks
4.1.1) trashing
4.2) outside attacks
5) tools
5.1) short declaration
5.1.1) sniffer
5.1.2) keylogger
5.1.3) spyware
5.1.4) wiper
5.1.5) network monitor
5.2) windows
5.2.1) sniffer
5.2.2) keylogger
5.2.3) spyware
5.2.4) wiper
5.2.5) network monitor
5.3) linux
5.3.1) sniffer
5.3.2) keylogger
5.3.3) spyware
5.3.4) wiper
5.3.4.1) wip.h source
5.3.5) network monitor
5.4) unix
5.4.1) sniffer
5.4.2) keylogger
5.4.3) spyware
5.4.4) wiper
5.4.5) network monitor
5.5) hardware
5.6) search engines
6) how to use the tools
6.1) configuration
6.2) control
6.3) security
7) attacker detection
7.1) intrusion detection
7.2) autorisation
8) how to avoid attacks
8.1) encryption
8.2) updates
8.3) backups
8.3.1) data recovery
8.3.2) important tools
8.4) basic tips
8.5) live CD
8.6) secure email
8.7) insecure BIOS
8.8) bank account
9) after a broke in
10) rest of risc
11) last words
12) mirros
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!i
!i ALL RIGHTS RESERVED BY ad . 2005 - 2007 . !i
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!i
0) PAPER UPDATES
------------------
31.08.07 : - v. 1.3.7
+ NSA backdoor key in MS windows NT
+ microsoft history info
+ the CIA google connection
+ search engine profiling
+ disable BIOS passwords over the hardware
13.08.07 : - v. 1.3.6
+ more about email security
+ info about the NSA.gov microsoft connection
+ more infos about evil messenger services
+ tip to bank account
+ xchat and jabber links / hints
+ new ICS.TXT mirror at textfiles.com
+ some more info about insecure BIOS
+ new section: 8.3.1) data recovery
+ new section: 8.3.2) important tools
+ corrected vlogger link
+ hint about new german law
+ more password security
+ link to my password generator "pan"
+ source of "pan" uuencoded
1) FORWORD
------------
This paper is written to show you some security riscs in internet cafes.
It is written for information and help but not for any illegal activity
and i am NOT responsible for your doings with this information here.
This paper here is NO invitation for hacking crime time. It is up to you
what you do with informations. The text is written to secure systems and
can also be used to secure home computers or other networks.
Do not wonder if something has changed or does not exist any longer in
this paper in the future. If sites / links are down in this paper and
which contain some special programs then just go to a searchengine and
type in for what you surf. Often many other sites or mirrors have that
for what you search for. Never the less, will I try to keep ICS.TXT up
to date.
Have a nice reading. -- ad
2) INTRODUCTION
-----------------
Many people are using these cafes to send emails, play games, chat with
friends or to surf in the word wide web (www) while they usually like to
drink or eat something. They maybe don't always know much about the
security riscs there or security riscs in general and many maybe don't
care about them.
( f.e. I talked to a system administrator in an internet cafe about this
security paper here and he sayed in a comical way that he rather don't
want to know nothing about the security holes here. )
Keep on reading if you care about them ( the security holes ) and if you
maybe want to learn something about security or / and insecurity.
3) THE ATTACKERS
------------------
I think in the internet you will find lots of attackers and kinds of
attacks but in this case we will only turn to three groups ( and two
kinds of attacks ) wich we will find in- and outside of internet cafes:
- the operator
- the user &
- the hacker
3.1) THE OPERATOR
-------------------
In many of the internet cafes the operator usually has the control over
any computer and over any connection from the server to the computer
which are connected to the network. This means that the operator
normally can control everything on the whole network.
In normal cases he can lock and control all connections of the network,
look how long you are online and how much you have to pay for your food,
drinks and surfing time.
But he could also watch to other things like on which pages you surf and
how long, in what chatrooms you talk about what and to whom, wich
textfiles you read, wich keys you hit on the keyboard. The operator
could sniff some of your private data. This could be one of your
passwords or what ever you can imagine. With other simple words: your
input through the keyboard could be ( or is ) a security hole.
Never trust operators while you don't know them personally good enough.
But we shouldn't forget that an operator also can be a victim - when an
user hacks a computer on which he sits and from that he could hack the
whole network up to the server.
( When i say "don't trust them" *doesn't* this mean that all
administrators or operators are evil - for sure they are *not*! This is
just a *mental* basic assumption for security - and the same applies
also to all users. )
3.2) THE USER
---------------
The user often plays games like egoshooter, chats over irc, icq, yahoo
and so on, surfs on some sites on which he is interested, downloads only
legal files or reads and writes the emails from his account.
But an user could do illegal things too. He could install some
downloaded or self programmed security or hacking programs on the
computer he sits. These programs could be keylogger, sniffer, trojaner,
rootkits and other spyware.
With these programs he could spy out some private or sensitive data
( like passwords ) from other users or from the operator behind the main
server. The programs could run for some days, weeks, months or how long
ever, maybe till somebody somehow detects them.
The next time he's physically ( what would be unusual ) or from an other
computer on the hacked computer in the internet cafe he could send his
logfiles to him or to another hacked account. These things could do his
installed programs automaticly, what would be usual.
People often have weak passwords and use them on different accounts.
Weak passwords f.e. are the real name, nick name, birthdate, favourite
color, hobbys and so on cause they are easy to remember. Weak passwords
are one of the biggest security holes. But they are easy to remember
that is why many people choose them too. A strong password could look
like this: Pohwpautoda -- we just take always the first char from every
word from: "People often have weak passwords.. ." and so on. And we have
a strong password. Strong passwords are not to find in any dictionary or
any other book -- just in your mind. To make it real strong our password
would look like this: "P0hwp4u70d4" . ( 0 = o, 4 = a, 7 = t )
Many people don't change their passwords from time to time so others
could have an easy access to their accounts and to their privacy too.
You should change your password every month on every account you have or
every few months.
If you wanna generate a password with a password generator you could use
my password generator "pan" which is included in my "rarb" ( rar brute
force for unix / linux - rar password recovery ) package. "Pan" compiles
under unix, linux and windows. You can download it here:
"http://packetstormsecurity.org/Crackers/rarb_v_1_0.tar.gz"
( and at all other packetstormsecurity mirrors )
Here is the source uuencoded:
begin 644 rarb_v_1_0.tar.gz
M'XL(`(8,PT8``^T[:U/;2+;[U:[B/YP53`(9V^AM&T)V(9!';0(I(#MW;TB%
MEM3&NK$E7TD.D$S^^YYSNB7+/&LR22:[0U<*2]WGU>?5I[N53&3!NP_OK'?6
MZN-G_SAX_?+@+U^]F:;INR[0+[:+OZ9EX8ME^K[IFY[IFF!:KF5Y?P'SZXMR
MN4WS0F0H2I:FQ4UPIT,I1S>,7YS<?TA[N>W!\D0DG7`%-L!V^V'7#%S/E*$3
MA5;/''C]J"O=OI`]I^<N-`^>;5HU!-,2PK&"4`2NXYL]-S('EA<)QPG=P!5N
MZ$DT:,_R&='V_!JJ:YF6*?U^T(L\T>O9TD:6R,GT!WVW9T9N.$"ROA4XO:X7
MA*%O=P>1B"R!SM&W`I2%91_+9-K)AT2QW_<CU_6#0`12]'W/MJ2#F(YE1K:0
M@2BEKZ&(0==T?1-9R)[EN=W`\?J!%?1,J]_O=VV<E8=BV=9,_AJR[^"X#+K=
M0(A(^J[T!X$;^E$_[`W<`2HDZO7[GC"[9D^&7H1N'4FS[P^D985]+PKT##(,
M04W1L@>.[7I^SQ1^5UJ.3P;HR;X?1F;8MX-R!C64P)-R8)F.Z?<=SS6M".<A
MA.A%MA?8W<@/P@#Y"V\V@QJR(Z)H$+IVKS\0J*RN#)S`[-M.9/MAB,$H/>GT
M^V9D=86'4[1%S^MV0Q.E#*3M2E3+'^V_=^WWM6R6_U^*]W(0C^17YS'+_U;7
ML^J_NCD6Y7\;D[^-+YA4G&ZW^YWS?Y!'-\+=-OX?FO]I]L5:LW$2AM!.`;,S
M<(:^"^P_1ZO%_^Z3O6_#XY;XMVW?*NL_U[$I_NVN[=S%__=H"TVXW,3?L5D7
M>['Z@.Q2]Z95_JFW+8L([_^];-;MP+"O^_<U]&8-,ZN)H:%+F@IMDR$W5:?J
M8EFWZM#[);U2!+%GZ3$%H*$1M2YX";UI6GJ(.P)^4@BE[+!/%*L9TD,UM,4/
M6Q7*7CF!/7H25Z!LU5`?=-!/.R<?-;(YQ[!JHD*N<*M)[<_QFVN9$JWLWR*(
M=AM$=&QVM484JFE>1-5C08D;F-;,I_:O`B_A]G2K(6S!_FLXW`%XLK</CW=(
MAB?/=S=?+#07FNW?T0@?ROH&UF!</@[23*UW.([Y#X?B9)#BR^M7VYN'.P?8
M,9U$HI`Y]NG2GX!R2*<9/'W]G"D(&,5%@>0(`@&9(H)-1)Z?IED$)S*1F2@0
ME,!'<3(]:\$TB<_@'IS&292>YO"A8W5($[H\1W1\PO&/\02";%JPL*&$?"A'
M(\C#+)X4)=+OU\Y"<_$+&V+B/W3<%R]@__G39X<'L+]SL+/_SYUMV/H7^E`'
ML*KSH4T_7>@H^"]F]D<GS/^R5EO_M<M_?1ZWK/^6YWNT_CN>:3M=JTOU/VX$
M[M;_[]$.GST_`/QW^&Q'I5KXY\[^P?.]78S7W3UXN;>_4^9"2A*VW3&]#H8Q
M9N9B*#'#A>_%B82AR"%)3V>9,(DQ56%^;$&(6XI`PC27$:0?9+;0U'FTI2AD
MZ4DFQA`.9?@^AW@`Y^D4,&N^Q\Q8#.$%)4O`K/DDDW+K8!M$$D&44D(6HSQ5
M>(2&;%2J1F$BR*=A*/.<H8D-9_M3E!)S;3)*1832!-,"XF*AB=E\@*E6G(IS
M&&3I&,65<7("83J>C&0A:>(F3MS5$R\S-"=?6@LR*:+S#CR>%@62%9B>B:7,
M,A2;Y4-J+=+/0O/_T-^@.)](!LGBDV$!^7E2B#,6E7!)G#B1'?@7*H*T1XI%
M]3&&ROMZ[K28T/)`D\N5NHQI@CT&$Z/U8WX(>XP6L`PA3CY%8X@H`F,1$8J:
M1).10.UUX!=2Y@>I33L0B)=.BCA-<)ED-93F76BR?16?]K9!!C/:NP8L3R<3
MF84"Q4=5%C++5Y`L@15#G.AIQ0`P#HLI6K54&$^!?&%,XH[2]#W/%WNR7(X&
M9/*X(&4%6?I>)N1(@0A&YR@:SBI)<389(,-QG(A1AYVWWS$=;4.U1-?MIX0?
MIQDJ09[$.<G*,B3R%%TA4L4"C2\T\XDD0Y/!$DC#0HQ@,$U"U@Q!I0G*H1=]
MFHH"2:;C`(G^4&M8+?_KL/SZ/#`?=CWOVOSO.)Y7[?]\QZ?\[W>_]_G_GS3_
M+_YU-8B35<QFS46LXO8W][?@X-D.UG(O=W9?JP).EVX,$$SC$>;QI$K'?L>&
MV.GYZQAK>5'F@'+TGLK?C$K^M;Q2ULZJC"VCID69((\QWYYSJHMB,4I/`$.8
MPPZQ>2TY?/D*"LSYH@B'G*XP18\Q#'.UEF0H`='GU2`"SCH:@B7@E$-%.V6>
M#!<JJ<)5K3&$HN5N@8QBE1`_B-%4YHA<)A_,!S+**<'IM8KD+?/-WD&K2A.\
ME<C&@N9'S%.L^".,_Z)<DW*DAJLDKP8&"JEGK9(W=^1#HXFH:HTCE'12II3\
M'+4];J;YQO$T$6-YW$1QWL!2FL,&&#PC`]ZN$U;"XKR;B&*X8;"YZ=V`>_>.
MFJ<GLBA'IGG&H]1GK(,<X<3JF.7X]=BC-!2C.HU!3/*3ULCZE;F;RA<^-1O:
MT.UV$5/98+`#MLD/8:NVZ6F3R^'<C*-FH]UF6L;FZ\.]_37EGU2T=-8XG[=U
MO;(&MMTVO;;9-<#RH&N"A\C/Y&@"!B5\WN^]H;F\):JT.P2#EGRJ%-3R\.8D
M#'GPJ2QP^535!65,>$/SXZSHM<C!R_J6>G3-T'>/_I^Q`Z&DD+?7;C]!]
MF\T&6W/C&)V8_?G>/<C&T![0RS$-D]<N?6*HS^A#:F^L)%]I-MC*[0R6*LO,
M69EFM8[,V'@7E;M#%8F![^/\)$C/P'C);DJE&\9-@IXY&LFH8X`'CLG&:ZRO
M*]74.%=^0&?&)>^+Y\<TK7GV*)2Q][[._3$KFYPY2K'>46Q!.][5LBOS:_RG
MR/-6X=%T=:U5'EM)3CV`=(=%,5E;7:6*5A8Y[M7'N0RGF"7..\EH]7%&_5F^
M6BV8ICZ0`5(W594;QS(<IK#TM^,;IU`I@!3R"S&_9@Y`D\`_*JZ)`UVXEG(?
M78Z=>>UNZT(7]MY72KE"+)+BDE]4N%S#7M*IH9S>6+DL@QZIT=(!4J1K:#MX
M-5-O"UXG\5E+KQ`-/F_"4#7!-14;"B1D(2F>=->#\MVB=]"A(7,1-AL49\W/
MF&[D&1JN4*<QG&DH!^WL/?F1ZJX?I=7J/X[;;\'CYOV_95E=O]K_.UV^_W/,
MN_N_[])6'RPT7VWN0G".T4>;I,/:GESO8'`#69YDZJUD'I\D>6NAJ;=T>I='
M-=$H/<4'6L-66N6&A_K'\1ENUSJ*68CK+U$5=*I]5NC-.1$^FW%::'*/P'UC
M<H(/*59;':B+ETV37-54?)9*\G`A5YVI\JY/EZ5ILE:O67&?J99Z5;"N\0+F
M=-R.7XWH@0L+VT(39S/;Q1MTE&S@CI#N435&AT*)6+_FBF$-=YY=VGE2$;W0
M;.MS`TIW$=:`X]E^$U?P"-5"!23O,`FXOI64\QM))%'M.IDP;="12KGQQ.YE
MW#=/5GC[NM!\L$I"K:["*`XP[F,Z0UF,DW`TQ<WMP[R(XK0S?'2A#V&YLT([
M9_DRK%'3L:Z.ZRA%/)8E`D].':@O1I(.-:K3)8.58,P&5-$&1NVLN#:*M=ZS
MO7TP<(5@RKBD3*;*<>C$0!]TO'E+M>_DE)S*6&?`VLF[5M5"\T,:\Y'\\DSQ
M<5*`:,V_!Q?>0UC1-$=I@%;X@"H4P8BF3\.XDIVWX..ZUO%8Q$F-)T%0US(Q
M7UEH?FJ4,#E&@T2(QB1#H,&R01'R4PZ+^.<HP;C\*3=:I=Y:6D\MK1&2J(&:
MR)>-H^2HL$K7."IL%:1'Q5'A@`I/TE-.8*X.TR.E.P3R.$#Y!8X*G]^P%B'@
MKG(Z(M2#G?]Y?@CTV`?<)+XR%'\M>"Y',BS60/6R\JFJ0?'P-0]%@C`_13B9
M>V<EQ!#=:"1G0!A`X7`9TP"JJ/%)U<(F!E"CH6?Y2Y9BO<CPN$G#2J"CN#4:
MF2RF60(6OS&BI1`#S#;O9[WVE;W.E;WNE;W>E;W^E;W=*WM[]2D]3=,(\Z^\
M.!-S!M^OPQ\E2M&8&I6U51TK$W34M9*&`E4GBVMD1IU%J_1ZE,@S0>>;/&K9
MX)GF47*E"!B#8CHJKC4#;76N-,/GFG.\40*\A3>5"&]O<Q50WH)A=>]C"4C%
M72VN&AS'.O9@!D3GNO59?-9A^77S`<4Q/=*4WI$QWL`YO&T!UK8)B<*9B0?I
MB0?GNX.T&%;=*%[%H+8&-.:X$I?UBYU(\%(?D=94:8U";^%D3?JEY+T,RPBU
M0NEZ&79?OW@!*Y7Z>#V>I#%Y%/8\>?YB!QX,)GHTG:"W56?J=,3-RSD?I3<&
M$TS!`P)9IN$6INR?*R-7!Z"X'Z,@W]@`2T?ZS#0D:7UU(:]";2P#;W_6\><A
M9EE(?OZ9414N+7/L?@PY5I!CA#S'GQ(204D"'&0%K,!/6'8JKVW,+#BF1:34
M,C:D3F=%N&\2A5!=`^W4@PG.CWUT#EU'PF?^6Z'3,3+6)U*)6:>`8:=Q/NN@
MH;63LG==4[;6U,VZN&7^IT,TRK*E7BG!#L6\.LQ2(<R8AA^!VZ7=/#T_!,>!
M7W_5S[Y+*X@>>@1>;S;4]Z'J[UN:/;:+Q!_6B#_ZG<0_-6:1QD;44<%MEH`K
MRY0_\]8,2VN6=.:L>;O=:DMMW7K.'V:]OCFSGN_=8(D9X*,:X(^A5;VMN*A5
M]P_3JF7;,[7VNS>HM0;YJ`;Y8^B5[ALO:=7[4;1:ACP[\2P;D!_?E%(N:+R6
M.,RYG%*C\F-80U?==5OXW\(65!K<9`P>)VMPHN4WROQ7JER/UF$?U6"U8KG.
M8<669<D7:K8D]!LURUN8NEZ[WT*OUU87S)=''Y:L&:/4P_75QV_0T<UUR.TZ
M"D=I+O66NC'@-X0N:S<ZHE^8E?-<^^$N=7:3UL)JG0N<O%4>V6`'<FJ!J@0_
M8I&^HDIQI+>S]^2'N@C_D[;:^:_^K.7K\[CE_M]W/;,Z_W5=E^__O;OOO[Y+
MJ^[_9]?_?!2,+_3.7Z#^[PU?H'88[W'M&R_U#9#ZTDA_<L1?`^D/D_#Q="@*
MD!_T+A<!D`)=>5>?,BFBA^7!+6R+<9S`P9BJ%757OPRQW_/![K@=7'A6Z(('
MZ>5TM4R_&_IXD0A/<;/?Q+_##3H]Q!YUC]M<Q-\-?:F[!N7W702`TYOHV_1%
M:(\*W'J]!77KUFSP'5]Y3;U$S&"Q_H$K$M`P2TC;*!%0J4LD!.B>LA]U)DZ0
M?PG8EM@'2R8\?-"A[[=^A0<=U,LC:"?XW-[5>^C;P2,"WZ8/Z:)1G!=\SGZ!
M]Y[ZE`N)DO816*BO+?2G7E*?0+!%TVE1S45]J55]V:8^5..OM':VGQ^J2V_]
M??(@SI#WC*^ZNAO$J.52LF84A\7&DJ,_L=!G!$WUN[%D8W_Y(5N3_FPL632X
M8=)?:\/"<5YUZ(*`3B4JNMR[<4P^B<I#3=U?VKB/9B%^!MB/5B/Y8369CD;'
MY"91A()I%'DV08==XC<#?@;K(C0ZQRF[.QAMM#'[BK&D34-GT-A;\YG%(COG
M4EM=H<3)O*#S#H&P="7^7IX3`'L&UQG,0HO4/BD4/TNQB1"]L<A?X(`(BZD8
M5=19.3A*/QO'0_KPH5VBEKKX%0H1CZ!M'3.92(;9N?(-%`:[B"[*M'%,ACB#
M]D0)0@3((@98,_7,JXK(D54Y^#$R9J0X,WPI,<X9<\0H=[1?_292K"WER[,Y
MVK-;?`9",Y^DZDL@M$BST="V+L$-=2=?F;JAC=DHS<F%4BD/!8;Z,'6`8ISK
M3Q>-&C@QXC2J[8\H:Z!F=8EX.T&?/A+WN4-?DC?HCA[ECI,PDV.9U$7G>%'.
MS0Y`GJUFR57==9XS2S1T\*^$(:^DBE"%<CT<M@U8INRQ<E54;-]%Q8\>%7^8
MXR17YM%DSF/XG'=NF=!>4OK"7Q5ZZ0O.M8Z@\+45ZR9D["^SX-<SWU?+:+\E
MG7W37*;R&"GW"]-8Y8DU1[S=9=^*!>IPED24+,@VNW^=/^[>E,AV[]SR
M2U+*=S%BDC(?MH#V1-R?W"_*#%X)?5K]-P2^><0RE7$6^?JPJ5WQ[M.QNW;7
5[MI=NVMW[:[]E[5_`Z?!IHD`4```
`
end
To decode it just put the encoded source into a "file" and type:
----------------------------
[user@ ~]# uudecode "file"
----------------------------
3.3) THE HACKER
-----------------
The hacker must not have physically access like the user or the
operator. He could have found the internet cafe network from a scan. So
he is a bit harder to detect because with no physically access you are
invisible physically but maybe visible on the network or the computer.
The hacker probably would hack from another hacked box into the internet
cafe network but this could also be done by the admin or the user after
their physically attack. The hacker could do all the things the user and
the admin could do after their attack. But the hacker would not leave a
physically trace if the cafe is watched by a (hidden) security cam. So
some people or the personal of the cafe could not see him too. And he
wouldn't leave fingerprints and nobody could remember him ( his clothes
and his face ).
4) KIND OF ATTACKS
--------------------
This is a paper about security in internet cafes but we won't forget
that the cafe can be attacked from two sides in two different ways:
- from inside, physically
- from outside
Some attacks could be done through: man in the middle (MIM), brute force
backdoors, sniffing, spoofing, hijacking, keylogging, code injection,
stealing, manipulating and so on.
4.1) INSIDE ATTACKS
---------------------
If the attacker sits inside of the cafe behind a computer - he has a
directly physically access. He's in deep trouble soon when the server
monitors all doings and maybe an intrusion detection software on the
server rings the alarm bells from the operator. Operators in internet
cafes often have to do jobs like to serve food and drinks for the users
so he can't control the server not always constantly i think.
4.1.1) TRASHING
-----------------
Trashing is a well known kind of attack and in that case an inside
attack. Many people leave sometimes some sensitive data in the trash
without destroying it before. Mostly some papers with sensitive data on
it. This could be some bank account information, telephone numbers,
addresses, names from private contacts, credit card numbers and of
course more.
To avoid trashing simply do not let sensitive data in the trash in the
internet cafe or *destroy* it before in little paper pieces.
This is all to say here.
4.2) OUTSIDE ATTACKS
----------------------
An internet cafe could also be hacked from outside from a user or an
administrator. You don't have to sit inside the cafe to hack it. A good
configured firewall on a monitoring server could protect you in this
case. But don't think that you are secure just with a firewall. A
firewall is no guarantee for a secure network - a firewall is just a
concept. For a good security on the network could help an intrusion
detection system.
I think it's more difficult to detect an attacker from outside of the
cafe.
5) TOOLS
----------
In this section i will point to some security tools and explain how you
can use them useful. These tools are sniffer, keylogger, scanner and
trojaner to call just a few of them all. You can also find the download
link from these tools in the appendant sections.
You can find lots of more tools on the internet but we can't numerate
them all - this would blast this paper. ( For more information use a
searchengine like "http://altavista.com/" or search on some security
sites. )
Please use all of these tools only to test, check, configure, control or
secure *your own* system or network - to find holes in them.
5.1) SHORT DECLARATION
------------------------
From section 5.1.1 to section 5.1.4 i will explain some tools ( sniffer,
keylogger and some spyware tools ) shortly to get a quick but ample
overview from this tools. We can't go to deep into all possible usings
of them - it's too much for a paper like this one.
Read the "man" ( manual ) pages from some or these tools or use
a $searchengine for more details and information.
To read the manual from "man" under unix / linux type:
--------------------
[root@ ~]# man man
--------------------
With this syntax you can read any manual from many programs. You will
learn a lot from manuals. They are a *must read* for learning something.
5.1.1) SNIFFER
----------------
With a sniffer you can filter or manipulate datastreams. You can sniff
some sensitive data like some IPs, IP packets with source and
destination IPs, socket addresses, ports, accesspoints, mac addresses,
hostnames, user IDs, the version of the operating system or from other
programs, services and also data streams in plaintext ( emails,
unencrypted passwords ). You could also sniff some data streams from
outside of the network f.e. with wirelesslan sniffers or sniffers on
wiretapped phonelines.
5.1.2) KEYLOGGER
------------------
With a keylogger, the name says it, you can log every input which comes
from the keys of the keyboard. Keyloggers often create well formated
logfiles to give you an excellent output and overview of all typed keys
( texts ) and used programs. A keylogger could also log mouseclicks -
to expand some of all possibilities.
With the created logfile you could find out passwords, the content of
emails and much more. It's easy to understand what is possible with
keyloggers i think. ( To prevent that keyloggers find out your password
you could use "char selecting" tools but don't forget: *nothing* is 100%
secure! )
A keylogger is often installed as a software but the keylogger can also
be implemented on your hardware - directly on the keyboard for example
- a hardware keylogger. ( see section 5.5 )
5.1.3) SPYWARE
----------------
Spyware could be a trojaner ( also called backdoor ) which listens on a
port or is completely invisible on the victims system. Backdoors are
often implemented in replaced and manipulated software packets
( installed programs ) by the attacker. Backdoors which just listen on
an "31337" port are mostly easy to detect with a simple portscan with a
portscanner.
( A "modified" version of a program { f.e. email } which runs constantly
on a well known and *open* port is harder to detect - maybe with a MD5
checksum on the program file, with a special packet filter
configuration on your firewall or with a monitoring tool. )
With a portscanner you can scan for open ports ( which maybe better
should be closed ), the version of the running program behind the port
( wich could have a bug ) and the version of the operating system or the
kernel ( wich could have a bug too or twice ) .
With tracerprograms you can often trace the destination of some other
people but this won't take much of an effect while the other person uses
some proxy server or a proxy services.
In fact, a portscanner and a tracertool is no real spyware but often
very helpfully to check your system with all your connections.
5.1.4) WIPER
--------------
Wiping tools are very important today for real security. A wiping tool
makes a secure overwriting of a file, a secure deletion. Normally when
you delete a file the deletion program only deletes the inode of the
file and the file is "deleted". But with some recovery tools you can
easy recover the files which are deleted in this way. So if you wrote
some important or personal texts an attacker could find your files
when they are not wiped.
The standard secure deletion is "Gutmann" wiping - 35 passes /
overwritings. Many wiping tools have some more features than only
deleting a file. You can wipe the RAM with them, the SWAP space and also
unused discspace. Delete your personal files only with wiping / secure
deletion tools otherwise you can be hit by an attack. Attackers can do a
lot with personal information.
You need a 35 times overwriting when you wanna avoid data recovery with
high tech equipment which costs a lot of money. So yes, you could
recover data from swapspace, unused discspace and RAM too.
Look at this very simple example now. We copy the complete RAM into a
file and then look for our password with which we logged ourself in on
the system. "/dev/mem" is an interface ( unix / linux ) to the pysical
memory of the computer. ( "man mem" - for more information )
--------------------------------------------
[root@ ~]# cat /dev/mem | grep Pohwpautoda
Binary file (standard input) matches
--------------------------------------------
So we can see our password ( changed for this example but real tested )
was in our memory. This means a RAM wiper is a good tool against a
memory attack. "smem" from THC - a very good [TH]Choice here.
5.1.5) NETWORK MONITOR
------------------------
A network monitor, the name says it, is there to have an eye on your
actual network and/or internet connections. This tool is like a sniffer
but not hidden and not for manipulating data streams. There are network
monitors for X-servers so with GUI and there are also ones just for your
terminal. They are often easy to use and to configure, mostly they have
a logging option too and many options for a personal monitoring, so you
can monitor what you want to monitor. These tools are a *must* i would
say for a good security concept and a good defense.
5.2) WINDOWS
--------------
You can find this operating system ( OS ) up to 80% in each internet
cafe i think because many people are using it and it's easy to learn and
to operate with - specially for beginners. Many of the games they play
run under windows. Just a click here and a click there and everything is
running fine and fast.
Old windows systems are not so secure because if an attacker has access
to a windows machine he can do everything he want. You don't have real
security with windows in my lowly and honest opinion. Windows is
*closed* source and you don't find any sourcecodes from it on the
internet for free. Closed source means obscurity for security - no
secure solution but this doesn't mean that windows is completely evil.
A securer solution for windows could be the use of windows NT, or not?
Cause here you have admin and user accounts and you can configure more
than the old windows systems, you can buy the sources from NT and it has
more security features than the old versions. Some people use old
windows systems today. Windows runs not so stable like unix or linux.
Nevertheless it is a *nice*, fast and great multimedia and gaming
system - when it runs stable.
INFO: Since windows XP microsoft by the way has a good connection to the
NSA and other "anonymous" agencies ( microsoft will not mention them for
whatever reason ) . NSA and the "other ones" helped microsoft with the
security of their OS ( operating system ). NSA also helped building the
security of windows vista. In a software driver in windows NT4, called
"advapi.dll", there was founded two keys for access. One key is called
"NSAKEY".
For history knowledge: Bill Gates stole in the beginning days of
microsoft the code for "windows" from apple. And apple before stole it
from xerox, so the code for the graphic operating system. [...] So you
can see that money is ONE thing what makes this world go around.
A free windows is React OS and can be downloaded at:
"http://www.reactos.org" .
5.2.1) SNIFFER
----------------
a wireless lan sniffer
- "http://www.ethereal.com/"
5.2.2) KEYLOGGER
------------------
search for yourself ( take care of the ugly dialer sites )
- "$searchengine"
5.2.3) SPYWARE
----------------
search for yourself ( take care of the lame pay sites )
- "$searchengine"
5.2.4) WIPER
--------------
windows wiping tool
- "http://www.heidi.ie/eraser/"
5.2.5) NETWORK MONITOR
------------------------
as a little search lesson please search alone for windows
- "$searchengine"
5.3) LINUX
------------
LINUX is an opensource operating system. Many of the linux and unix
systems are completely for free. If you have never worked with a linux
system then it could be a bit difficult to use but easy to learn if you
really want to learn it.
You can get some *free* operating systems like gentoo, freebsd and so
on at: "http://www.distrowatch.com/" . I also can recommend the debian
distribution knoppix from K. Knopper which is based on linux. You can
find it here: "http://www.knopper.net/" . Knoppix is good for experts
and also for beginners.
If you want to control everthing on a linux or unix system you must have
super user rights - also called "root". You can't do everything without
"root" , f.e. if you want to create a new userprofile on your computer.
5.3.1) SNIFFER
----------------
a network sniffer
- "http://www.tcpdump.org/"
5.3.2) KEYLOGGER
------------------
a kernel keylogger by rd
- vlogger <FROM> "THC" (The Hackers Choice)
{ This program is now offline at thc.org because a
new german law is now out which forbids security
tools ( also known as security by obscurity or
better: security by forbidding knowledge .. ) -
if you want it then search the net and you will
find it. }
5.3.3) SPYWARE
----------------
an invisible backdoor client by fx
- "cd00r.c" <at> "http://www.phenoelit.de/"
a *very good* portscanner by fyodor:
- "http://www.insecure.org/nmap/"
5.3.4) WIPER
--------------
probably the best linux wiper by vh
- "secure deletion" <at> "http://thc.org/"
5.3.4.1) WIP SOURCE CODE
--------------------------
"Wip" is a small unix / linux shell wiper which i wrote. Here is the
source code for using, learning or modifying:
#######################################################
#
# wip 1.1 - unix / linux small shell wipe tool
# by ad - 27.01.07
#
# The program overwrites a file for x times with
# random signs from /dev/urandom, then sets it to
# zero with /dev/null, renames and finally removes
# it.
#
# Tested on a DSL system ( i686 2.4.26 )
# Usage: ./wip.sh <number> [file]
# or: ./wip.sh [file] - 35 rounds standard (secure)
#
# Update:
# 27.03.07 - add sync
#
#######################################################
# help screen if not enough input
if [ $# -lt 1 ]; then
echo "wip 1.1 - small unix shell wiper"
echo "by ad - 2007"
echo
echo -e "\t""use: $0 [file] [number]"
echo -e "\t""or: $0 [file] (35 rounds)"
echo
exit 1
fi
# the file we wanna wipe
file=$1
# check the file
if [ ! -f "$file" -o ! -r "$file" ]; then
echo
echo " can't find "$file""
echo
exit 1
fi
# we enter our own number
if [ $# -gt 1 ]; then
# we use our input
b=$2
fi
# we user standard 35 rounds
if [ $# -lt 2 ]; then
b=35
fi
# size of the file
length=`wc $1 | awk '{print $3}'`
# file size / 512 blocksize for counts
x=`expr $length / 512`
# if the file is smaller than 512 bytes
if [ $x -lt 1 ]; then
# one count
x=1
fi
# count + 1 count more
x=`expr $x + 1`
# we begnin with 0
a=0
# some info
echo "wiping $file"
# the wiping
while [ $a -lt $b ]; do
# write from urandom to our file x times
`dd if=/dev/urandom of=$file count=$x 2>/dev/null`
# doing a sync
sync
# the round counter
a=`expr $a + 1`
# some output
echo -en $a times wiped '\r'
done
# some info
echo
echo "set $file to zero length"
# we set the file to zero with /dev/null
`dd if=/dev/null of=$file count=$x 2>/dev/null`
# some info
echo "renaming and removing $file"
# renaming the file
mv -f $file wip; mv -f wip 0
# removing the file
rm -f 0
# last info
echo "done"
# exit
exit 0
5.3.5) NETWORK MONITOR
------------------------
try this syntax in your terminal and get a *good* terminal network
monitor, called trafshow:
-------------------------------------
[root@ ~]# apt-get install trafshow
-------------------------------------
5.4) UNIX
-----------
UNIX is nearly like linux. But unix was created at first from both. I
would say it is more stable and faster than linux but this oppinion is
only from my own experiences with unix. There are three main operating
systems of unix: FreeBSD, OpenBSD and NetBSD. All three are very secure
and stable. These BSDs you can get from "http://www.freebsd.org/" &&
"http://www.netbsd.org/" && "http://www.openbsd.org/" .
Unix by the way was build by hackers and also the internet was build
by hackers because they invented the sockets.
5.4.1) SNIFFER
----------------
a ssl sniffer
- "http://crypto.stanford.edu/~eujin/sslsniffer/"
5.4.2) KEYLOGGER
------------------
unix terminal keylogger
- "script" <at> FreeBSD [at] "/usr/src/usr.bin/script"
5.4.3) SPYWARE
----------------
portscanner (hackers swiss army knife) - by hobbit
- "ftp://coast.cs.purdue.edu/pub/tools/unix/netutils/netcat/"
5.4.4) WIPER
--------------
file and block device wiper
- "http://wipe.sourceforge.net"
5.4.5) NETWORK MONITOR
------------------------
a very good network monitor for a unix terminal is IPtraf:
- "http://www.iptraf.seul.org/"
5.5) HARDWARE
---------------
You can not only spy with software on a computer system. There are much
more ways to watch. There could be a mini hardware keylogger installed
into your keyboard or your computer or a small hardware network sniffer
on your computer hardware. This kind of spying is not detectable about
the normal way - so impossible to detect over normal software. A
hardware keylogger f.e. is very small, this device could be plugged
between your keyboard and your normal keyboard PS2 or USB ports. It
could look like this:
| 1) keyboard
| 2 .------.-----.---| 2) cable
1 |=//=====| 3 | 4 | 5 | 6 3) keyboard USB/PS2 plug
| "------"-----"---| 4) hardware keylogger
| 5) USB/PS2 port
6) computer
One of the most high developed hardware spying systems is called
"tempest". It can detect the radiation of your monitor lots of meters
away - so the spy can see about this way what is on your screen, what
you write and so on.
An other high developed spying system is by the way "echelon". It grabs
all data which goes over the internet, over phonelines and handys. They
are searching the datastreams with a kind of patternscanning so special
words. Otherwise it is hard to scan the *big* datastream which goes
around every day. I think you can imagine what size of logfiles all this
data can cause.
Search the internet if you wanna know more or less about these projects,
this kind of stuff is too much for a paper like this.
5.6) SEARCH ENGINES
---------------------
Now this is a special section but also a mention worth. Search engines
are no real spies but they collect your data and many wanna try to find
out who you are, what you do, where you live, how you live and so on. So
in other word: they try to find out all about you what they can and
collect this data. Search engines are helpfully but when they become a
kind of spy is this not ok i would say.
So what can we do against this ? We can disable their cookies in our
browser at first and do not accept cookies from them. Cookies tell the
site from where they come a lot about where you surfed and how you had
surfed. Many of them have a lifetime of many years and if you do not
delete them they can collect your privacy from lots of years with all
used search words and sites you entered. We can also surf with proxy
and a webfilter to hide our IP and our OS ( operating system ).
We can also enter words in the search engine for which we really don`t
wanna search for. So if you have a cat at home then enter the word "dog"
and so on. So with every search you can enter some "false information"
about you or whatever. Some random input is also nice like 123 or abc.
When you have your search results then just copy the link from the site
into another browser window, so do not click on one link. With this they
can not know what you have clicked. So the whole search with this here
for them probably looks useless. To do this is your right and it is
nothing what is wrong. Some people are building now sites to make a
profile from _every_ people in the world (sick!). One of this sites is
"www.spock.com" - this is called "profiling" / personal data collecting.
Such services could also be used as an attack for / with disinformation.
By the way: an ex agent from the CIA said that google has a good
connection with the CIA and that the CIA helped google with money. Now
Google has a new policy and there they say that they can delete and
censor some stuff if it is something for example that the government do
not like. Of course, they deleted many stuff. And from a logic point of
view google must have this connection because it made pictures from
space - google maps. This can not be done by everyone because you could
spy with this way. This is all i know from my knowledge about that.
Here are some sites to search secure or / and anonymous:
- "https://ssl.scroogle.org"
- ...
6) HOW TO USE THE TOOLS
-------------------------
From section 6.1 to section 6.3 i will explain how you can use these
tools and in which ways you could do that. The content of the sections
is about configuration, control and security.
For sure, there are much more ways and ideas to secure a system with
these and other tools but i cede this to your creative brain because
this paper is *no* detailed security howto - it's just a *short* and
smart overview of a possible concept - written for curious, interested
security novices.
6.1) CONFIGURATION
--------------------
You can use these tools for a better configuration of you hardware and
software. At first you have to check your system and network for known
and maybe unknown security holes. Close all useless ports ( services and
demons ) which you don't need on your system as a first simple security
way.
Try to break the security of your system and of your network. If you
find bugs, maybe with the help from some exploits too, then try to fix
these security holes with patches, updates or with your own solutions.
examples:
You can check the funkrange between your access point and your wireless
lan card of your wireless lan network with a wireless lan sniffer or
with a scanner program of that kind.
You can test the security of your firewall with a scanner, sniffer or a
backdoor program, to call just a *few* things you can do for more
security on your own system.
Here is a scan with "nmap" on a linux box at "localhost":
---------------------------------------------------------------------
[root@ ~]# nmap -v -sS -O localhost
Starting nmap 3.81 ( http://www.insecure.org/nmap/ )
at 2007-01-27 10:00 CET
Initiating SYN Stealth Scan against localhost.localdomain
(127.0.0.1) [1663 ports] at 10:00
Discovered open port 111/tcp on 127.0.0.1
The SYN Stealth Scan took 0.06s to scan 1663 total ports.
For OSScan assuming port 111 is open, 1 is closed, and neither are
firewalled
Host localhost.localdomain (127.0.0.1) appears to be up ... good.
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1662 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
111/tcp open rpcbind
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux 2.4.0 - 2.5.20
Uptime 0.003 days (since Sat Jan 27 10:00:11 2007)
TCP Sequence Prediction: Class=random positive increments
Difficulty=3994719 (Good luck!)
IPID Sequence Generation: All zeros
Nmap finished: 1 IP address (1 host up) scanned in 2.201 seconds
Raw packets sent: 1679 (67.4KB) | Rcvd: 3364 (136KB)
---------------------------------------------------------------------
The programm scanned 1663 ports but just one port was open. It was TCP
port 111. All other ports are closed. The OS detection shows a linux
system with kernel 2.X -- that is right. You need root to do this scan.
NMAP is always also for windows there to download.
6.2) CONTROL
--------------
If you want control or check the main computer, the server, of a network
constantly then you can use a keylogger. Admins often sit in front of a
server which must be controlled.
This is useful to check the system and the network for unauthorized
access. ( persons which should have *no* access to the server ) If an
unauthorized person has access to the server of the network - the
logfiles of that installed keylogger soft- or hardware should show this
hopefully.
Here is a shot with the program "netstat", to look for connections:
( unix / linux )
-------------------------------------------------------
[user@ ~]# netstat -st
Tcp:
0 active connections openings
0 passive connection openings
0 failed connection attempts
0 connection resets received
0 connections established
6726 segments received
3370 segments send out
0 segments retransmited
0 bad segments received.
3352 resets sent
Udp:
0 packets received
2 packets to unknown port received.
0 packet receive errors
0 packets sent
TcpExt:
18 resets received for embryonic SYN_RECV sockets
0 packet headers predicted
0 TCP data loss events
-------------------------------------------------------
And we can see: there are no active connections at TCP streams. But a
monitoring tool would be better for this job.
You could also install backdoor clients on every computer which are
connected on the main server. With this you can control everything easy
f.e. shut down the computer when he's not in use any more, start and
cancel internet connections and so on.
When i say control - i don't mean spy at others with this control. I
mean control a computer system with this. The meanings between control a
system and control a person ( a human life ) is immense. In ethical
speech: Everybody should *always* respect the privacy of others.
With "ps -A" ( linux / unix ) you can see what programs are running:
--------------------------------------
[user@ ~]# ps -A
PID TTY TIME CMD
3081 tty1 00:00:00 ps
PID TTY TIME CMD
1 ? 00:00:00 init
2 ? 00:00:00 keventd
3 ? 00:00:00 ksoftirqd_CPU0
4 ? 00:00:00 kswapd
5 ? 00:00:00 bdflush
6 ? 00:00:00 kupdated
99 ? 00:00:00 kjournald
335 ? 00:00:00 knodemgrd_0
456 ? 00:00:00 khubd
838 ? 00:00:00 portmap
1003 ? 00:00:00 cron
1009 tty1 00:00:00 bash
1010 tty2 00:00:00 bash
1011 tty3 00:00:00 getty
3085 tty1 00:00:00 ps
--------------------------------------
So here is no logger running and no spyware or sniffers visible. Do NOT
forget: because you do not see something must not mean that there is
nothing like sniffers and so on. They could be hidden.
Under windows you can take a little look at the "task manager" if you
wanna see what services are running at moment. With this program you can
start and stop services. But here are the same rules like said before:
not always is what you see the only thing which is there.
6.3) SECURITY
---------------
However, these tools are for testing the security of *your* system and
*your* network. They are not for illegal activities, like told before.
Use these tools to check and secure your system and your network for
known and unknown bugs ( security holes ) - there are lots of ways to
do that.
Develop your own security concept which is proper to the needs of your
network and your system. Security is a concept with lots of
possibilities but not all are secure - flexibility is *always* good.
Well, that's all about this here. I won't tell you more, use your
creativity and your intelligence too. At least you have to consider
about what is to do or not to do at the right time - at least it's your
own system.
So this here is more for your mindset. Check your situation. Make planes
&& ( and ) "make install" on them.
Read security mailing lists, search for good and good visited
( independent ) security sites ( f.e.: http://www.rootkit.com/ ) - get
informed and stay informed. Knowledge is the best for good security.
A very good technic site for security is: "http://www.phrack.org/" .
"http://www.astalavista.com" is also a very good security site and a
click worth.
Also read this under unix, it is very good information:
-------------------------
[root@ ~]# man security
-------------------------
7) ATTACKER DETECTION
-----------------------
The detection of an attack can be very hard if you are a novice user or
administrator. Bugs are not dead and they seem to be normal in the
development of hard-, soft- and wetware - bugs are a part of our life.
Every human has bugs and often soft- and hardware too.
If you can't detect an attacker on your machine then your system seems
to be insecure and your detection unusable at least. Again, you should
set up a good configured firewall and also an automaticly intrusion
detection system.
( tip: It's always good to read security mailing lists to widen your
knowledge. A very good site is: "http://www.securityfocus.com/" -
"http://www.slashdot.org" is also a good news site and a read worth )
Protection is the step which you should choose before a possible
detection could happen. We'll talk about this in "section 8".
7.1) INTRUSION DETECTION
--------------------------
You can do lots of different things to detect an attacker on your
system. A good way is to check your logfiles constantly as often you can
and you could also do a MD5 checksum on every logfile that you can see
if something in that files was changed or deleted. You can also use SHA1
and SHA256 which are securer.
Here are some examples how MD5 and SHA1 hashes could look like:
-------------------------------------------------------
[root@ /var/log/]# ls -l wtmp
-rw-r--r-- 1 root wheel 130 Jan 27 10:00 wtmp
[root@ /var/log/]# md5 wtmp ; sha1 wtmp
MD5 (wtmp) = 3262971fd6d030b25e6facb8135109aa
SHA1 (wtmp) = 1413445651bbabeb2652860f06f7d2acb5bb994b
--------------------------------------------------------
MD5 makes a 128 Bit and SHA1 a 160 Bit cryptographic checksum.
You could also write or use a software wich makes automaticly copies
from your logfiles often and send them through a encrypted connection to
another server or encrypt and save them on your own harddrive or
something of that kind - again, like said before: use your own
creativity and imagination.
You can also check every file which seems important to you. Do a MD5,
SHA1 or SHA256 checksum on them and maybe control the sizes of them if
you can.
Use tools like "snort", "tripwire" and "chkrootkit" to detect some
possible attacks on your system. Control your traffic with a good
firewall filter. Make a portscan to find open ports that should be
closed. Create a little honeypot to find attackers before they can
break your security concept or privacy.
F.e.: Write a little honeypot by simulating an FTP, HTTP, SSH or
whatever server. Write it so that when somebody connects your program
logs the source IP from the packet, gives an alert, makes a trace and /
or disconnected your connection to the internet. A nice idea would also
be a fake FTP server with anonymous access ( and logging of course ) .
This program could run on every machine in the cafe or just on the main
server.
( If you are a beginner and wanna start with programming then it is no
wrong descision in my oppinion to learn python - www.python.org . It
is OS independent and very good documented (good to learn), a good
HowTo is included and many code examples. Reading on "http://rfc.net"
is also recommend. )
A run with "chkrootkit" on your system could look like this:
---------------------------------------
[root@ ~]# chkrootkit | grep INFECTED
---------------------------------------
7.2) AUTORISATION
-------------------
If an attacker has passed by every security and has successfully entered
your system then he should have a *hard* way to do something on your
computer. But often he has root ( admin rights ) when he is on your
system over a security hole, if not - you got luck.
With the program "w" ( linux / unix ) you can check who is logged in:
-----------------------------------------------------------------------
[user@ ~]# w
10:20:00 up 8 min, 2 users, load average: 0,08, 0,09, 0,04
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 - 10:00 0.00s 0.88s 0.00s w
user tty2 - 10:01 2:19 0.03s 0.03s -bash
-----------------------------------------------------------------------
So there are just two users logged in - "root" and "user".
Give important files which others should *not* read or use only root
permissions ( f.e. with "chmod 700" ) and put them in protected
directories or on encrypted partitions on your harddrive. ( f.e. with
"gbde" )
Before an attacker can do everything he want, he must become the highest
authority status on your system at first ( "su" / root ).
Here is a little example for the use of "chmod" ( unix / linux ). First
we create a file with the word test in it, look at the actual chmod and
read it with "cat". After this we change the chmod to 600 for read and
write rights ( r/w ) but only for root. User will have no rights. (0)
----------------------------------------------------
[root@ ~]# echo "test" > testfile
[root@ ~]# ls -l testfile
-rw-r--r-- 1 root wheel 5 Jan 27 10:20 testfile
[root@ ~]# cat testfile
test
[root@ ~]# chmod 600 testfile
[root@ ~]# ls -l testfile
-rw------- 1 root wheel 5 Jan 27 10:21 testfile
[root@ ~]# cat testfile
test
----------------------------------------------------
Then we log in with user status and try to read it again with "cat".
----------------------------------
[user@ /root]# cat testfile
cat: testfile: Permission denied
----------------------------------
You see, it is not possible to read it now. Only root can read it.
Again, find out the best security concept for your computer or network,
it's an *individual*, complex field and because of this we can't go to
deep in every possible detail - it's too much for a quick and smart
overview.
However, everything which is important to you and others should be
protected. *Never* give persons which you don't know good enough admin
rights - this would be careless. You *can't* know what they will do
with this permissions! ( f.e. invite other users or create new profiles
for others and so on )
8) HOW TO AVOID ATTACKS
-------------------------
A good protection is a good way to avoid attacks from an unknown and
unauthorized access of other strange people.
You can use encryption and you should make updates for your system and
the programs on it every few days. The more you are using the internet
the more you should do updates.
8.1) ENCRYPTION
-----------------
Encryption is good for your network connections, chat connections,
private data, your email and also for a secure surfing on the internet.
For network connections or chat connections you can use ssl and ssh
( "http://www.openssh.org" and "http://www.openssl.org" ) tunnels or
programs which support these services. ( f.e. the chatprogram "irssi"
for IRC, or mozilla mail { "http://www.mozilla.org" }, to call just a
few - "http://www.irssi.org" . ) Xchat - "http://xchat.org" - a chat
tool - is also very nice.
Tip: ICQ/AIM/MSN/YAHOO messengers by the way are logging everything
you write and after you hit send, they have COPYRIGHT of all which you
wrote - that is right. And then they can do with your stuff whatever
they want, also commercial usings - selling your thoughts / privacy.
You can read this in their policy on their websites. Do NO longer use
these evil services. ( Use encryped and anonymous IRC servers instead
or use Jabber. ( "www.jabber.org" ) Both can be used with TOR. )
If you use wirelesslan connections, set a security key on them. If you
want to encrypt your private data or your emails you should use pgp or
gnupg, they use a strong and secure algorithm. ( up to 4096 bit )
( "ftp://ftp.kiarchive.ru/pub/unix/crypto/pgp/" )
With "gbde" you can also encrypt your swapspace by the way.
( at FreeBSD: "/usr/src/sbin/gbde/" )
To do so we need 2 files and two lines in FreeBSD, and do a random
overwriting before:
----------------------------------------------------
[root@ ~]# dd if=/dev/urandom of=/dev/ad0s1b bs=1m
[root@ ~]# cat /boot/loader.conf
geom_bde_load="YES"
[root@ ~]# cat /etc/fstab | grep bde
/dev/ad0s1b.bde none swap sw 0 0
----------------------------------------------------
This is all you have to do to encrypt your "swap space" on FreeBSD.
For a secure surfing on the world wide web ( www ) you can use anon
proxyserver with an opensource browser like firefox. You can additive
use http encryption ( "https" ) - http secure - if you surf on sites
which support these service. ( "www.mozilla.com/firefox/" ) For a secure
file transmission use an encrypted ftp connection ( sftp ) - secure ftp.
( at FreeBSD: "/usr/src/secure/usr.bin/sftp/" [ in the "../src/.."
archive you can compile the software for yourself if it is there with a
"make && make install" on your unix / linux terminal. ] )
For a secure and anonymouse surfing you can use the site:
"http://www.anonymouse.org/" . Another good secure and free program is
TOR. ( "http://tor.eff.net" ) . TOR can be used under windows, unix and
linux. You can chat and surf over TOR anonymously and SECURE, it uses a
lot of mix notes as proxys, your connection is always encrypted with it.
( "http://torproxy.net" is also a nice site to surf anonymous )
There is an option in privoxy, the webfilter which is mostly included in
TOR, which is for hiding your browser and operating system, so nobody
can see this data. You can enable this option in the special privoxy
file, just search a bit in the privoxy directory. You can also disable
logging in TOR - just edit the special file in the TOR directory, this
is all easy because all files have *good* comments. When there are
logfiles present - an attacker can very easy see what sites you have
visited. Important: to see if you HTTP or FTP proxy is running in your
browser and if you are anonym go to a site like: "http://www.myip.dk"
- there you will see your IP and your actual HOST.
( tip for beginners: Do not use your real name as nickname in chats. )
To encrypt a file under UNIX with "bdes" you can use this syntax:
-------------------------------------------
[root@ ~]# bdes < input > output.bdes
[root@ ~]# bdes -d < output.bdes > output
-------------------------------------------
The first line is for encryption. The second is for decryption. This
tool uses a strong DES encryption.
Under windows, to encrypt a partition secure, you can use the tool
"truecrypt". ( "http://www.truecrypt.org/" ) For SSH you can use "putty"
( "http://www.chiark.greenend.org.uk/~sgtatham/putty/" ) and for SFTP
use "psftp" . To encrypt files under windows you can use the program
"file2file", it uses a strong AES encryption and is free and very small.
( "http://www.cryptomathic.com/" )
If you want a free, secure and anonymous operating system you can try:
"http://sourceforge.net/projects/anonym-os/" - Anonym OS .
And don't forget: use *strong* passwords!
8.2) UPDATES
--------------
Check your system and your programs as often you can for new updates.
An update is often a bugfix or a new implementation of a new feature for
the program. But with a new update often comes a new bug. Nevertheless,
do updates if a new stable version of your needed system or program is
available because this is much securer than to have older versions of
them on your harddrive.
Download the needed bugfixes, patches and updates only from trusted
sites or from the original site of the system or the program and try to
check the MD5 files if they are present, this could prevent you from
download errors or a possible file manipulation over your data stream.
A complete system "update" for linux "debian" in five steps: ( just the
lines without the output from "stdout" )
----------------------------------
[root@ ~]# apt-get update
[root@ ~]# apt-get upgrade
[root@ ~]# apt-get dist-upgrade
[root@ ~]# apt-get clean
[root@ ~]# apt-get autoclean
----------------------------------
You must be root to do this by the way. You can also install new
software with an "apt-get install $program" on the "terminal".
Windows normally makes automatic updates but this option could also be
a security risc. So i would say you better check them sometimes by hand
and / or search http://www.microsoft.com/" for bugfixes, patches and
security reports. And do not forget: you better close the remote control
from windows if you do not need it.
8.3) BACKUPS
--------------
Backups of your files are _important_. An attacker could delete or
change some sensitive contents of this files. Without a backup you have
to write, configure or program them again. This could cost you much of
your valuably time. Sure, you can't avoid an attack with a backup - it's
for prevention.
Do a backup of your files as often you can if the content of this files
has changed. Save your files at "secure" places - protected and
encrypted if possible or necessary. Two or more backups at different
places are maybe better than just one. ( f.e. at your USB -- of course
*encrypted* ) A secure place could be a fire save tresor.
For a backup from your "/home/user/" directory you can hit the following
two lines into your terminal on a unix system: ( Without the output from
"stdout" . )
------------------------------------------------------
[root@ ~]# mkisofs -R -o backup.raw /home/
[root@ ~]# cdrecord -v speed=20 dev=2,0,0 backup.raw
------------------------------------------------------
We created a file with all the backup data in ISO 9660 format with rock
ridge extensions with "mkisofs". After this we burned it with
"cdrecord". You must do a "cdrecord --scanbus" to detect your device
from your cdrom before probably. Another good burning program for unix
and linux is "K3B" .
For windows i would say "Nero" is a very good burning program. It has
many good options and is a good windows tool.
8.3.1) DATA RECOVERY
----------------------
You could make an ISO file from your system or from one special
partition and then save it encrypted on USB or a CD. When this partition
is destroyed or manipulated you can simply copy the saved ISO file on
the same place it was before. With this you do not have to compile
everything new.
8.3.2) IMPORTANT TOOLS
------------------------
To secure your system a bit more you could also save all important
programs to USB or CD and save it on a secure place. You could copy
these programs every day new on your harddrive. These tools could be:
"ps", "netstat", "w", "who", all sort of hash program ( sha1 etc. ),
"chkrootkit" and also your kernel. Sure, there are much more programs
you could save and copy every day - develop your own concept here.
After copying them: check them all. ( run them all )
8.4) BASIC TIPS
-----------------
There are a few basic tips you should *keep* in mind to prevent a
possible abuse of your private files or accounts.
- Before you start a session in an internet cafe and enter some
sensitive data like your account login and the fitting password you
should look under options in the used browser and check if the
automatic storing of logins and passwords is enabled. If that's the
case: turn it *off* and *delete* all stored accounts. This may help
lots of other people too.
You could enter this stored accounts simply. You have only to type
the stored login data into the right login field and the matching
password comes automaticly.
- After your session: delete the history in the browser, delete all
downloaded files and also delete the trash, delete the cache and close
the browser - you often can "surf" simply back to the visited sites
about the back button in the browser if the browser wasn't closed
after a session. Delete also your cookies.
- If it is possible then delete the cache , the downloads and the
history with a wiper. This is much more secure.
- If possible after a session then wipe the free discspace and your
private data.
- It is also good just to disable the history, cache and cookies.
- Run XP AntiSpy and configure it at windows systems. It is free.
( http://www.xp-antispy.org/ )
- Disable also JAVA, automatic software update / download / install,
active X and maybe picture viewing if possible and enable your
popup blocker
8.5) LIVE CD
--------------
A live CD can also help to protect against a possible attack and it can
take down much of the riscs. But there are some points we should keep in
mind because without them we are not so secure as we want to be.
So we download an ISO for a live CD from a http or ftp site and burn it.
( Maybe http://www.distrowatch.com/ ) Now there are two ways how we can
use it:
- your own private live CD , just downloaded or selfmade
- the internet cafe has a live CD for every computer on the network,
also just downloaded or selfmade
In case one we must ask in the internet if it is ok that we wanna use a
live CD for surfing because of security reasons. Many internet cafes
have their own, often selfmade, money software. There they can see how
long you were online and how much you have to pay. I would say that the
case is rare where you can use a / your own live CD. But if you can you
must have a little bit knowledge of how you must configure your network
IP. ( Normally a live CD makes this all automatic but you can make it
also by hand with "pump" or "ifconfig" and "route" under Unix / Linux. )
In case two they could have live CDs for surfing and also selfmade ones
with selfmade software for the surfing costs. But to go to a higher
security lever we can do much more than using a live CD. If we have
about 1GB of RAM we could just use the the live CD without any
harddrives (HD) installed or mounted. Cause HDs are easy to mount under
unix and linux, this kind of software is normally installed on every
unix and linux box as a standart. So if someone hacked you over your
live CD and you do a reboot - all data is like before. But with a
mounted HD with windows on it for example the attacker can manipulate
windows *easy*. So the better idea would be to just run a live CD from
RAM ( A very good small one is *DSL* - Damin Small Linux, a 50 MB live
CD! So the rest of space would be for downloads. ) or use a HD just as
a place to store something ( data ) so nobody can manipulate the
operating system ( OS ) because there is no OS on the HD - only free
space.
And after a reboot, if you installed or downloaded something your
system is so fresh like before, cause you can NOT manipulate a live CD
when it is in use. ( Doing it would be hard! ) Even when somebody hacked
you over your live CD while you were online - after a reboot everything
is ok again. ( Only from RAM or with a HD only for storing something
without an OS. ) But the question we must ask ourself is now: Can we
*trust* the live CD we are using in the internet cafe ? Could they be
manipulated ? Who knows ...
Here are some more of the riscs we must look at. If there was some data
on the HD , a trojan horse could be binded on it without you can see it
so easy. Sourcepackages on it can be replaced with manipulated code. And
so on and so forth. I think you understand what can happen.
Also the attacker could have sniffed your passwords or some sensitive
data. If you reboot or not it does not change the fact that he has them.
A reboot can NOT help against this case - that is clear.
But what we can do after an attack when we noticed it sooner or later we
will discuss in the following section. ( 9. - after a broke in )
8.6) SECURE EMAIL
-------------------
It is no wrong descision to use free, secure and anonymouse email
accounts. Because when they hacked your email account and you gave all
your personal information ( real name, address, birthday etc. ) away -
the attacker can do a lot with this data - social engeneering f.e. . So
use better email accounts where you only need a nickname, a password and
nothing more. Two good sites in my oppinion are:
"http://www.rootshell.be/" and "http://www.safe-mail.net/" -- there you
have a free, SECURE and anonymous email account. Secure because you have
a SSL connection when you enter your email box. Without SSL everybody
could sniff your password in plaintext over your connection - with SSL
your password is encrypted. You better DO NOT use email accounts without
SSL. Avoid your real name as your email address.
Tip: For more security delete all your email after you read it, so read
it and then delete it, then you do something for your mind and for your
security because when somebody hacked your account he has nothing to
read so no information. It is good for your mind because many stuff then
is saved in your brain so your brain has more work to do in a good way.
"http://www.bluebottle.com" is also a nice free and secure email site.
Do not abuse these free good services with lame anonymous jokes or
useless spam. They are made secure and free for *you* as a gift. For
more security on your email account you can delete every email you get
after you had read it - so read it and then delete it. If someone has
access to your account he will probably find nothing or not much because
there is nothing stored. Store it in your brain instead.
8.7) INSECURE BIOS
--------------------
Do NOT trust BIOS passwords. When you have access to the inside of the
computer in the cafe you can just take out the BIOS battery, reverse the
BIOS battery put it and then put it in right reversed again. Then you
have a complete BIOS RESET and the password is deleted. Now you could
enable disabled CD-ROMs , HD's or whatever. I tested it on an own
computer - an AMD 200MHz model with VESA BIOS. When you only take out
the battery for some time and put it in again without reversing it then
the password is not deleted and there is no reset - so no effect. So it
was when i tested it. So the battery is here is like our KEY. And yes,
this may sounds lame and maybe it is but it is functioning.
Please ONLY try this when the energy from the computer is TURNED OFF.
normal: reset: 1) +
2) -
__________ 4 __________ 4 3) battery
.--1----------------. _/.6---2-----..\_ 4) +
[_ 3 _] [ 3 ] 5) -
`\.6____2____../' `-1---------------' 6) isolation
=============== 5 ================== 5
There are many master password lists in the internet and special ways
to hit some keys on boot to get the BIOS password too. ( Use a
searchengine to get this information. ) So BIOS is not very secure. It
can also be hacked and manipulated - so it can hide a trojan horse. You
could update it every day to avoid this.
Some passwords from BIOS can be disabled with special jumper positions
on your hardware. You must search for the special manual of your board
to get this information.
8.8) BANK ACCOUNT
-------------------
I would just say here: do *NO* money transmission in an internet cafe.
Doing it at home is also not so save but in an internet cafe it is much
more dangerous and insecure. You should *go* to your bank and make your
money transmission there, this is more secure. Think about what we talk
here and think about what will happen if somebody has access to your
money and bank account over the internet. You can simply avoid this by
doing it at your bank. Here is trashing also possible - so destroy your
papers before you send them into he trash or send them to the trash at
your home.
( Many stuff today is *much more secure* when you do it by hand, not
by technology. Our world goes in a direction where everything will
be done by robots and computers, so "everything" goes automatic.
This is not bad at all but when these systems will fail it can
cause great problems. Think about the hot summers where the hot
temperature can destroy computer chips and what all can happen
through this. )
9) AFTER A BROKE IN
---------------------
This is a very important section. What you must or have to do after a
broke in / attacker detection is important like securing the system
itself.
You could notice an attacker by a look in the log files, an alert from a
detection program, an alert from a honeypot, a changed file, a deleted
file, an open port with a strange software on it, a massive data streams
over your connections, a massive noise from your working harddrive, your
CD-ROM is reading a CD from "alone", your upload is away , you just
make a search - and find something (program), someone (attacker) or a
trace (log entry) or the admin could notice the attacker behind the
server with a monitoring tool or an intrusion detection system. However.
So what can we do then ? If the attacker is connected you can make a
tracert or a portscan to his system and maybe send him a message. You
can disconnect your internet connection. The best is to *pull the plug*
and then search for more. The longer the attacker is connected to your
system physically the more chances he has to wipe his traces or to get
more data from your system. If you do not pull the plug, his (hidden)
programs could make a new connection from the computer to the internet
automaticly - this is possible. When you pulled the plug you can search
for his programs which often encrypt all data they send and try to hide
themself in tricky ways. ( trojan horses or rootkits ) Offline you are
secure against online attacks.
It would be better when you tell the local admin from the cafe what
happened. He then has to scan the whole network, the server, the router
and probably every connected computer in the cafe. Lots of work, yes.
As admin from the internet cafe you better set up a *fresh* and
completely *new* system with completely *new* and *strong* passwords.
You should make software updates and also search all other computers for
bugs. If you know the kind of the attack or the bug or the attacker file
(program) then scan all other computers with this knowledge and secure
them if needed. Then change all passwords on the whole computer network
and tell all people there that they should change their passwords too
because of a (possible) attack. If you as admin find a user physically
hacking the cafe then act friendly never the less and decide if it makes
sense to call the police and maybe safe the traces.
As user change all your online passwords too. ( email and so on ) Delete
or better *wipe* private data from the HD and tell the admin and all
users there what happens. If you as user find the admin or a user
physically hacking the cafe then (if it is the admin) tell all users
what is happening, leave the cafe, decide if you will call the police,
safe the traces before and wipe all private data, change all your
passwords somewhere else and never visit this cafe again maybe. If it is
a user then please him to stop this and tell him that this is a bad idea
and tell the admin what happens.
In short form: after a broke in: pull the plug, make a new and clean
system with bugfixes, patches and updates , make your *whole* system
more secure than before and change all passwords, physically and online.
10) REST OF RISC
------------------
The biggest hole in every network, software and system is the human
himself. He is programming, hacking, administrating, securing,
penetrating, scanning, cracking or whatever.
Sometimes you have to trust admins but at least you don't know them.
Trust only people you know good enough. Try to use mostly opensource
software where you can find the sourcecode to every program and on which
lots of people are working for *free* ( A long life to the open source
scene! ) to find new bugs and make new updates, patches and stable
versions.
However, without a look in the "source code" you can't "trust" a
( possible backdoored ) "program" or human. ( "Sourcecode" in the case
"human" would be the mindset or soul of the individual. )
( To hack your source code or better your brain you can do things
different - f.e.: turn off TV and keep away from mass media for some
days or more time, if you smoke or drink (too much) then stop it for a
week or a month or forever and SEE the difference - this both will
have a great and good effect. Meanwhile do other things you like. )
11) LAST WORDS
----------------
I hope you have learned a bit about security with this paper. These
informations here are not only for internet cafes. They should show you
how insecure things mostly are and should give you an overview about
security as a whole. Please share this information with others if you
like it.
Try to use your time useful and also try to use the creativity of your
brain. You always learn at best by doing the thing you want to learn.
And don't forget: Never trust other people until you know them
personally really good. This secures your system and your *life* lots of
more, doesn't it? The internet is *full* of vipers and liars - many
people talk many stuff on the internet to you and others which is often
_not_ true. You *better* *keep* this always in your mind. You *better*
*never* forget *this*. Many will try to give you a false ID of themself
to make you blind or to play with you. Yes, that is true.
Some people live a life in the internet as a person they arn't and can
NOT be in reality or real life. You better do not waste your time with
such unknown people or make some virtual friendships - it can be real
dangerous - you better believe it. Internet is a *dangerous* place -
there should be warning signs everywhere.
You should also always consider with a clear brain what you give to the
internet. If you set some personal data into the internet and it is
spreading like grass then it is very hard to stop this. So you better
avoid giving personal data to the internet - but this is your descision,
sure. Say also clear that you have all rights of your stuff - many
people think when your stuff is on their site - it is now their stuff,
that is really evil.
Tip: Do not spend too much time in the internet nor change your real
life for a "second ( virtual ) life" in the internet. Do NOT trust
virtual reality and do not get lost in cyberspace - it has often its
own evil and thumb anomalies because there many people want to be "the
boss", "play the boss" or act very antisocial - simply avoid or ignore
those people and try to be root "everywhere" you can.
12) MIRRORS
-------------
- "http://packetstormsecurity.org/papers/general/ICS.TXT"
- "http://packetstorm.syrex.com/papers/general/ICS.TXT"
- "http://packetstorm.foofus.com/papers/general/ICS.TXT"
- "http://packetstorm.austin2600.net/papers/general/ICS.TXT"
- "http://packetstorm.iamthebrain.com/papers/general/ICS.TXT"
- "http://packetstorm.blackroute.net/papers/general/ICS.TXT"
- "http://packetstorm.setnine.com/papers/general/ICS.TXT"
- "http://packetstorm.rlz.cl/papers/general/ICS.TXT"
- "http://packetstorm.ussrback.com/papers/general/ICS.TXT"
- "http://packetstorm.orion-hosting.co.uk/papers/general/ICS.TXT"
- "http://packetstorm.linuxsecurity.com/papers/general/ICS.TXT"
- "http://packetstormsecurity.nl/papers/general/ICS.TXT"
- "http://packetstorm.digital-network.net/papers/general/ICS.TXT"
- "http://packetstorm.dtecks.net/papers/general/ICS.TXT"
- "http://packetstorm.wowhacker.com/papers/general/ICS.TXT"
- "http://packetstorm.neville-neil.com/papers/general/ICS.TXT"
- "http://textfiles.com/uploads/ics.txt"
------------------------------------------------------------------
[ "If War Would Be A Solution -- Freedom And Peace Would Become An ]
[ Illusion." ]
[ "Talking About Peace And Freedom While Making War Is Like Giving ]
[ Poison While Saying It Is Water." ]
------------------------------------------------------------------
[EOF] - End Of File
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
