Tools

PostgreSQL 9.1 Released

/*
Among the many new features, here's a snippet from the News page:
*/

Advancing the State of the Art
Our community of contributors innovates with cutting-edge features. Version 9.1 includes several which are new to the database industry, such as:

K-Nearest-Neighbor Indexing: index on "distance" for faster location and text-search queries

Serializable Snapshot Isolation: keeps concurrent transactions consistent without blocking, using "true serializability"

Writeable Common Table Expressions: execute complex multi-stage data updates in a single query

Security-Enhanced Postgres: deploy military-grade security and Mandatory Access Control

/*
The SE-Postgres looks to be particularly interesting. It allows you to use SELinux Mandatory Access Controls on the PostgreSQL users and data. Neat. Particularly the SECURITY LABEL.
*/

/*
Beware, however, that there are some incompatibilities with previous releases!

From the 9.1 Release Notes:
*/

Change the default value of standard_conforming_strings to on (Robert Haas)

By default, backslashes are now ordinary characters in string literals, not escape characters. This change removes a long-standing incompatibility with the SQL standard. escape_string_warning has produced warnings about this usage for years. E'' strings are the proper way to embed backslash escapes in strings and are unaffected by this change.

/*
Also from the Release Notes, it mentions the addition of synchronous replication.
*/

PostgreSQL streaming replication is asynchronous by default. If the primary server crashes then some transactions that were committed may not have been replicated to the standby server, causing data loss. The amount of data loss is proportional to the replication delay at the time of failover.

Synchronous replication offers the ability to confirm that all changes made by a transaction have been transferred to one synchronous standby server. This extends the standard level of durability offered by a transaction commit. This level of protection is referred to as 2-safe replication in computer science theory.

When requesting synchronous replication, each commit of a write transaction will wait until confirmation is received that the commit has been written to the transaction log on disk of both the primary and standby server. The only possibility that data can be lost is if both the primary and the standby suffer crashes at the same time. [...] ...it also necessarily increases the response time for the requesting transaction. The minimum wait time is the roundtrip time between primary to standby.

/*
There's also a What's New in PostgreSQL 9.1 wiki page that explains much of these new features in detail.
*/

Opa

Opa is a new member in the family of languages aiming to make web programming transparent by automatically generating client-side Javascript and handling communication and session control. Opa is written in OCaml. A hierarchical database and web server are integrated with the language. The distribution model is based on a notion of a session, a construct roughly comparable to process definitions in the join-calculus or to concurrent objects in a number of formalisms.

A good place to start is here. And here you can find several example programs with accompanying source code.

/*
This looks interesting. Although I don't know OCaml, it might be worth learning it to use this. The automatic creation of the client-side JavaScript for maintaining sessions and communication sounds pretty slick.

Here is the link to the documentation, which looks to be pretty decent.
*/

Tunneling nmap through Tor

I looked at how to reduce your exposure using Tor earlier in the week. We installed Tor and Privoxy and configured our system to browse the Internet anonymously. We can use Tor and another great program called proxychains to Torify our network scans with nmap.

/*
I checked this out and it seems to work well. Other than the fact that Tor doesn't seem to carry UDP traffic (other than DNS) or ICMP traffic, you're limited to TCP traffic alone, which isn't too much of a limitation.

It is a little slow getting your scan results back - especially if you don't pass -p<port1>,<port2> to nmap(1), but it's certainly more secure than just trying to use an open proxy server out on the 'net.

All in all, a neat trick.
*/

Common Threads: OpenSSH Key Management, part One

Many of us use the excellent OpenSSH [...] as a secure, encrypted replacement for the venerable telnet and rsh commands. One of OpenSSH's more intriguing features is its ability to authenticate users using the RSA and DSA authentication protocols, which are based on a pair of complementary numerical keys. As one of its main appeals, RSA and DSA authentication promise the capability of establishing connections to remote systems without supplying a password. While this is appealing, new OpenSSH users often configure RSA/DSA the quick and dirty way, resulting in passwordless logins, but opening up a big security hole in the process.

/*
Yet another of the DeveloperWorks! series. I love these articles.

The vulnerability in question has to do with pub-key (RSA/DSA) authentication and leaving a null/blank passphrase on the keypair. This article describes how to configure ssh-agent to cache the decrypted private keys so you only have to type the passphrase once per session. This has the benefit of allowing you to use scripted SSH logins without being prompted for a password, but also means that the keypair is still relatively secure even if someone else manages to compromise them via the filesystem.
*/

OpenSSH's RSA and DSA authentication protocols are based on a pair of specially generated cryptographic keys, called the private key and the public key. The advantage of using these key-based authentication systems is that in many cases, it's possible to establish secure connections without having to manually type in a password.

While the key-based authentication protocols are relatively secure, problems arise when users take certain shortcuts in the name of convenience, without fully understanding their security implications. In this article, we'll take a good look at how to correctly use RSA and DSA authentication protocols without exposing ourselves to any unnecessary security risks. In my next article, I'll show you how to use ssh-agent to cache decrypted private keys, and introduce keychain, an ssh-agent front-end that offers a number of convenience advantages without sacrificing security.

/*
A more in-depth description of what I mentioned above.

Highlights include:

What is RSA/DSA authentication?

How RSA/DSA keys work

Two observations

ssh-keygen up close

The quick compromise

RSA key pair generation

RSA public key install

DSA key generation

DSA public key install

For those already familiar with ssh-agent(1) - which you should be - then you can skip ahead to Part Two and Part Three.
*/

20 Years of Adobe Photoshop

One of the most impressive things about the company is the fact that one gifted family, consisting of an engineering prof, a PHD engineering student, and a talented special effects whiz working at Industrial Light and Magic came up with the core idea of Photoshop.

Thomas Knoll, the PHD student, is still heavily involved with Photoshop years later.

Glen Knoll was a college professor with two sons and two hobbies; computers and photography.

He had a darkroom in his basement, and an Apple II Plus that he was allowed to bring home from work.

Thomas Knoll adopted his father’s photography habit throughout high school, while his brother, John Knoll, purchased one of the first Macs available to the public.

Fast forward to 1987: Thomas Knoll was a PHD student studying Engineering at the University of Michigan. His brother was working at Industrial Light and Magic.

Thomas Knoll wrote a subroutine for a program to translate monochrome images on his monitor to grayscale.

The successful subroutine led Knoll to create more and very soon he had a number of processes for achieving photographic effects on digital images.

After his brother John saw what Thomas was doing, he recommended that Thomas turn what he was doing into a full-featured image editor.

/*
And lo, the world's most powerful - and likely most used - image editing software was born.

It's hard to believe it's been 20 years. I started tinkering with Photoshop 3.0, around 1995. I've had access to versions 3.0, 4.0, 5.0, 5.5, 6.0 and 7.0 over the years. I definitely do not have the eye for graphics design, but it's fun tinkering around.
*/

1994 – Photoshop 3.0

The big story for Adobe Photoshop 3.0 was layers. Layers were and are a lifesaver for any marginally complex design.

Prior to their introduction, designers would save different versions of designs so that they could go back and grab them if needed; layers made this practice redundant.

Layers are individual slices of the image that go together to make the final “sandwich” of the image. Different images, such as those used in the image above in the 3.0 splash screen, are assigned their own layers, making it easy to work on those images without tampering with other areas of the image.

/*
This is the first version I tried. The layers feature is a life-saver.
*/

Thomas Knoll, the original creator of the program, was responsible for their development. Other engineers made improvements in the program’s performance with Power Mac chips and bringing the Windows version up to the same level as the Mac version. Tabbed palettes also had their debut in 3.0.

Adobe engineers included Adobe Transient Witticisms (ATW) with this version. They were little Easter Egg funny one-liners that would appear only when you pressed obscure combinations of keys.

/*
Here is a small list of known "Easter Eggs" contained within Photoshop. They're a huge waste of code, CPU, and memory, but usually worth checking out.
*/

Graphical Network Simulator 3

/*
This simulator is absolutely awesome. It requires that you have the Cisco IOS images as it comes with a MIPS emulator and actually emulates a real Cisco router, switch, or PIX firewall. It's so realistic that you can design a network, configure the routers and switches, and then drop the running configurations onto real network gear.

It certainly helps to have plenty of RAM available to run this. 1 GB or more is almost a necessity.
*/

Shellcode Collection

/*
This site contains hundreds of shellcodes ranging from the standard execve(/bin/sh) to bindshells; from Linux to IRIX to Cisco IOS. Pretty neat collection!
*/

PostgreSQL 8.3 Cheat Sheet

/*
A very handy cheat-sheet of common PostgreSQL programming features.
*/

/*
There was an article on Slashdot earlier today bemoaning the uselessness of CAPTCHAs. While I don't agree that they're useless, they have been fairly fruitless at stopping comment spam on my blog here.

The article mentions two possible "successors" to the standard image and audio CAPTCHA, let's take a look at them.

The good:
This one comes from a site called spamfizzle.com. Their approach to going beyond the standard 2-dimensional image is to go 3D. Each object in a scene will be represented by a letter. Hundreds, if not thousands, of 3D images can be created using the exact same 3D "scene" but shown from different angles and with different lighting sources. You will then be required to enter, in order, the letter on the cat's tail, the letter in the upper left window pane, and the number of branches on the tree. Using only letters, no numbers, the possible combinations of the CAPTCHAs requiring only 3 letters is as follows: 26*25*24 = 15,600. At 4 letters, it becomes 358,800 possibilities. At 5 letters, it's now 7,893,600 possible combinations. There are also several other features that make nuking CAPTCHA-cracking programs obsolete within minutes; as well as features for making it easier for humans to work with. I really don't feel that I can do justice to this article by summarizing it here. I strongly encourage you to read the article itself (even though it is hosted on a Windows platform).

The bad:
This site requires that you really know your math. How many people are going to know enough geometry, trigonometry, and calculus to figure out this challenge/response?

The ugly:
What can I say?
*/

/*
Miscellaneous Microsoft Docs

Occasionally I come across some Microsoft articles that are of use to myself or those I know. I've gathered a list of Windows Server 2K3 and IIS 6.0 commands and tools that will help in automating processes.

How to Restart IIS
Additional Resources for the IIS 6.0 Metabase
Command-Line Tools Included in IIS
Using Command-Line Administration Scripts
Starting and Stopping Services (IIS 6.0)
*/

BackTrack Linux

BackTrack is the most Top rated linux live distribution focused on penetration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes.

It's evolved from the merge of the two wide spread distributions - Whax and Auditor Security Collection. By joining forces and replacing these distributions, BackTrack has gained massive popularity and was voted in 2006 as the #1 Security Live Distribution by insecure.org. Security professionals as well as new comers are using BackTrack as their favorite toolset all over the globe.

...

Because Metasploit is one of the key tools for most analysts it is tightly integrated into BackTrack and both projects collaborate together to always provide an on-the-edge implementation of Metasploit within the BackTrack CD-Rom images or the upcoming remote-exploit.org distributed and maintained virtualization images (like VMWare images appliances).

Currently BackTrack consists of more than 300 different up-to-date tools which are logically structured according to the work flow of security professionals. This structure allows even newcomers to find the related tools to a certain task to be accomplished. New technologies and testing techniques are merged into BackTrack as soon as possible to keep it up-to-date.

/*
This live-CD Linux distribution truly has every tool you could imagine using for a security audit. There are 24 information gathering tools; 21 network mapping tools; 65 vulnerability identification tools; 11 penetration tools; 48 privilege escalation tools; 15 backdoors; a log cleaner; 29 wireless analysis tools; 7 VoIP analysis tools; 13 digital forensics tools; 7 reverse engineering tools; and the Snort IDS. Quite a collection!

The live-CD boots to a KDE desktop, with support for various ethernet NICs and wireless cards both natively and through ndiswrapper. The website even includes screenshots.

The current version is 141207 (12/14/2007 - Beta 3). MD5 checksums are available on the download page.
*/

ArpON

ArpON is an ARP handler. It is able to handle network devices automatically or manually, to print a list of up network interfaces of the system (it uses the last of the list). It identifies the interface's datalink layer you are using but it supports only Ethernet/Wireless as datalink. ArpON sets the netowrk interface and it deletes the PROMISCUE flag.

Among all its features ArpON is able to ping using ARP a host, the possibility to ping the broadcast address (it can compute the number of up host through netmask address, it recognizes the address class INET/IPV4), then it prints a up host's list of the LAN.

ArpON can be also a passive sniffer and so it can capture all inbound/outbound ARP packets, requests and replies, in TcpDump style.

/*
This utility just came through the focus-linux mailing list today. It appears to be a Linux-based version of Cisco's port-security for MAC filtering, with additional features.

The aim is to block faked ARP replies; both solicited and unsolicited. While it claims to work well even with DHCP, I have a feeling it might cause breakage in certain scenarios. In a virtualized environment, the MAC address assigned to the virtual NIC may well change between boots. In a hot-failover scenario, it may cause the host to ignore gratuitous ARP.

This tool also supports ARP-level "ping", in both unicast and broadcast mode. This works in the same fashion as the ARPing utility.

While this tool looks like it might be useful in smaller, semi-static environments, I think Cisco's port-security is likely a more reliable option.
*/

AJAX Security Tools

Certain vulnerabilities within Ajax applications can allow malicious hackers to reek havoc with your applications. Identity theft, unprotected access to sensitive information, browser crashes, defacement of Web applications, and Denial of Service attacks are just a few of the potential disasters Ajax applications can be prone to and which developers need to guard against when building Ajax capabilities into their applications.

/*
This DeveloperWorks article has some interesting tools. One, aSSL, is an AJAX add-on that allows you to tunnel your AJAX requests back to the server over AES encryption. Very nice. It's licensed under the MIT license.

There are also links to several Firefox add-ons and extensions, such as Session Manager, that allows you to re-establish sessions on demand.
*/

pfSense

/*
pfSense is (yet another) all-in-one router/firewall/VPN device. It's based on the m0n0wall firewall, so it's based on FreeBSD and the entire system configuration is contained in one XML file. The entire rc process is written in PHP, making the XML parsing easy and also allowing for easy extendability.

I've seen about a million of these all-in-one devices, but what sets this one apart for me is the GUI. This looks to be the simplest, yet most-powerful, all-inclusive web-based GUI I've seen on such a platform.

Here's a quick rundown of the features included:

SSL web interface
wireless support
stateful packet filtering
NAT (many-to-one/one-to-one)
PPPoE and PPTP support on the WAN interface
DHCP client/server
IPsec VPN tunnels (IKE; with support for hardware crypto cards and mobile clients)
PPTP VPN (with RADIUS server support)
caching DNS server
DynDNS support
SNMP agent
traffic shaping
configuration backup/restore
load balancing
bridging firewall ("invisible" firewall)
many others
*/

Prototype JavaScript Framework

Prototype is a JavaScript Framework that aims to ease development of dynamic web applications.

/*
I am just starting to dig into AJAX and Prototype, more specifically. So far, it seems fairly intuitive and less bulky than the Google Web Toolkit (GWT).

For those wishing to jump straight to the API docs, click here. You might also be interested in the Tips and Tutorials section.
*/

Rainbow Hash Cracking

The multi-platform password cracker Ophcrack is incredibly fast. How fast? It can crack the password "Fgpyyih804423" in 160 seconds. Most people would consider that password fairly secure. The Microsoft password strength checker rates it "strong". The Geekwisdom password strength meter rates it "mediocre".

Why is Ophcrack so fast? Because it uses Rainbow Tables.

/*
This password cracker runs on Windows, MacOS/X, and Linux. This article seems to link you to the various project's websites to obtain all of the tools required to actually put this to use.
*/

The Ophcrack tool isn't very flexible. It doesn't allow you to generate your own rainbow tables. For that, you'll need to use the Project Rainbow Crack tools, which can be used to attack almost any character set and any hashing algorithm. But beware. There's a reason rainbow table attacks have only emerged recently, as the price of 2 to 4 gigabytes of memory in a desktop machine have approached realistic levels. When I said massive, I meant it.

/*
The article goes on to list the size of these "rainbow tables," some ranging in size from 600 MB up to 65 GB.
*/

A Step-by-Step Guide to Building a New SELinux Policy Module

/*
While this article looks to be RedHat specific, it appears that most of the tools used are platform-independent. This should certainly be of use, especially in combination with the Debian howto.
*/

Top 15 Free SQL Injection Scanners

/*
I'll definitely be testing most/all of these out.
*/