Azio’s Computer Log

My friends from zonelabs have developed a new product they call the Z100G, I’m a frequent visiter to their blog and just spotted it, they only announced it yesterday so its still pretty hot of the shelf.  Zonelabs Z100G is sure to be a success!

The Z100G in all its glory:

This device is a real machine — especially compared with some of the other wireless routers passing as firewalls out there today:

• Concurrent Firewall Connections: 4,000
• Gateway Antivirus
• Secure Remote Access to Home PCs
• 2 USB ports
• Check Point SecuRemoteâ„¢ VPN client
• Print Server
• Real-deal logging and reporting
• VStream Gateway Antivirus - real-time scanning
• Check Point Patented Stateful Inspection Firewall
• Bandwidth Management
• Monthly Security Report

Kudos to ZoneLabs for investing in some slightly new direction (for them) hardware

[original article here...]
Best of luck to my favourite company Zone Alarm for creating this fantastic Z100G Router. The Z100G Router by Zonelabs will most definately be a success in the homes of the amateur to mediocre user or even high level users may find the Z100G useful. For reliable hardware security, without the fuss of a computer-hardware firewall, I think this really does have some potential.

In cryptography, the key size is a measure of the number of possible keys which can be used in a cipher. The length of a key is critical in determining the susceptibility of a cipher to exhaustive search attacks.

Finding Weakness
Keys are used to control the operation of a cipher so that only the correct key can conver encrypted text known as ciphertext to plaintext. Many well known encryption methods and ciphers are based on publicly known algorithms which are usually open source. What this means is that only is there the difficulty of obtaining the key determines how difficult the code is to crack; which in turn determines the security/integrity/weakness of that particular system. Assuming that the key is not available (such as theft, extortion, compromised computer systems). The widely accepted notion that the security of the system should depend on the key alone has been explicity formulated by Auguste Kerckoffs in 1880 and Claude Shannon in 1940. Statements known as Kerckhoffs’ principle and Shannons’s maxim were created.

How Big does my key need to be secure?

A key should therefore be large enough that a brute force attack (possible against any encryption algorithm) is infeasible (i.e. not impossible, but would take such a theortically long time for it to desuade the hacker/cracker or to slow them down enough to pose minimum or even negligable security risk. Claude Shannon’s information th eory suggests that to achieve perfect secrecy, it is necessary for the key length to be at least as large as the message to be transmitted. The practical difficulty of managing such long keys, modern cryptographic practice has discarded the notion of perfect secrecy as a requirement for encryption, and instead focusses on computation security. This is an important thing to remember if you are protecting or breaching a system or infrastructure.

Does this mean there is no such thing as a secure password? Or just, its really not worth it? Or worse, people are so obsessed with functionality they can’t sit on their ass for 5 minutes to think about it more carefully?

the preferred numbers commonly used as key sizes (in bits) are powers of two, potentially multiplied with a small odd integer.

Brute Force Attack on Key’s

Even if a cipher is unbreakable by exploiting structural weaknesses in the algorithm, it is possible to run through the entire space of keys in what is known as a brute force attack. Since longer keys require more work to brute force search, a long enough key will require more work than is feasible. Thus, length of the key is important in resisting this type of attack.

With a key length of n bits, there are 2^n possible keys.

The number of possible keys grows rapidly as n increases. Moore’s Law suggests thatcomputing power doubles roughly every 18 months, but even this doubling effect leaves the key length currently considered acceptable well out of reach. The large number of operations (2^128) required to try all possible 128-bit keys will be out of reach for all of humankind’s conventional computing power for the forseeable future. (apparently!)

Symmetric Algorithmn Key Lengths

US government export policy has long restricted the “strength” of cryptography which can be sent out of the country. For many years the limit was 40 bits. today, a key length of 40 bits offers little protection against even a casual attacker with a single PC. The restrictions have not been removed (it is still illegal to export some cryptographic products), but the limit was effectively raised to 128-bit key length in 1999 and 2000.

Whgen the Data Encryption Standard cipher was released in 1977, a key length of 56 bitrs was thought to be sufficient (though there was speculation at the time that the NSA intentionally reduced the key size from the original value of 112 bits, in IBM’s Lucifer cipher, or 64 bits, in one of the versions that was adopted as DES) so as to limit the strength of ecnryption available to non-US users. The NSA has major computing resources and a large budget; some though that 56 bits was NSA-breakable in the late ’70’s. However by the late 90’s, it became clear that DES could be cracked in a few days’ time-frame with custom build hardware such as could be purchased by a large corporation (or the NSA btw). The book cracking DES tells of the succesful attempt to break 56-bit DES by a brute force attack mounted by a cyber civil rights group with limited resources; see EFF DES cracker.

Assymmetric Algorithm key Length
The effectiveness of public key cryptosystems depends on the intractability (computation and theoretical) of certain methematical problems such as integer factorization. These problems are time consuming to solve, but usually faster than trying all possible keys by brtute force. Thus, asymmetric keys must be longer for equivalent resistance to attack thanb symmetric algorithm keys. As of 2002, a key length of 1024 bits was generally considered the minimum necessary for the RSA encryption algorithm. As of 2003 RSA security claims that the 1024-bit RSA keys are equivalent in strength to that of 80-bit symmetric keys, 2048-bit RSA keys to 112-bit symmetric keys and 3072-bit RSA keys to 128-bit symmetric keys. RSA claims that 1024-bit keys are likely to become crackable sometime between 2006 and 2010 and that 2048-bit keys are sufficient until 2030. An RSA key length of 3072 bits should be used if security is required beyond 2030. NIST key management guidelines further suggest that 15360-bit RSA keys are equivalent in strength to 256-bit symmetric keys.

One of the assymmetric algorithm types, elliptic curve cryptography, or ECC, appears to be secure with shorter keys than those needed by other assymetric key algorithms. NIST guildeines states that ECC keys should be twice the length of equivalent strength symmetric key algorithms. So, for example a 224-bit ECC key would have roughly the same strength that a 112-bit symmetric key would have. These estimates assume no major breakthroughs in solving the underlying mathematical problems that ECC is based on. A message encrypted with an elliptic key algorithm using a 109-bit long key has been broken by brute force. Amazing.
source: wikipedia

New versions of the ultracool tools pwdump (1.4.2) and fgdump (1.3.4) have been released.

Both versions provide some feature upgrades as well as bug fixes. Folks with really old versions of either program should definitely look at upgrading, since there are numerous performance improvements and full multithreading capabilities in both packages.

What do this apps do?
pwdump6 is a password hash dumper for Windows 2000 and later systems. It is capable of dumping LanMan and NTLM hashes as well as password hash histories. It is based on pwdump3e, and should be stable on XP SP2 and 2K3. If you have had LSASS crash on you using older tools, this should fix that.

fgdump is a more powerful version of pwdump6. pwdump tends to hang and such when antivirus is present, so fgdump takes care of that by shutting down and later restarting a number of AV programs. It also can dump cached credentials and protected storage items, and can be run in a multithreaded fashion very easily. I strongly recommend using fgdump over pwdump6, especially given that fgdump uses pwdump6 under the hood! You’ll get everything pwdump6 gives you and a lot more.

Darknet definately DOES recommend fgdump, super cool update of the old favourite pwdump.

fgdump was born out of frustration with current antivirus (AV) vendors who only partially handled execution of programs like pwdump. Certain vendors’ solutions would sometimes allow pwdump to run, sometimes not, and sometimes lock up the box. As such, we as security engineers had to remember to shut off antivirus before running pwdump and similar utilities like cachedump.

So fgdump started as simply a wrapper around things we had to do to make pwdump work effectively. Later, cachedump was added to the mix, as were a couple other variations of AV. Over time it has grown, and continues to grow, to support our assessments and other projects. We are beginning to use it extensively within Windows domains for broad password auditing, and in conjunction with other tools (ownr and pwdumpToMatrix.pl) for discovering implied trust relationships.

fgdump is targetted at the security auditing community, and is designed to be used for good, not evil. Note that, in order to effectively use fgdump, you’re going to need high-power credentials (Administrator or Domain Administrator, in most cases), thus limiting its usefulness as a hacking tool. However, hopefully some of you other security folks will find this helpful.

Get pwdump here

Get fgdump here

Many thanks to darknet , what a great article!

How to portscan your computer for
security holes

by Jason Thomas

If you’re smart and you’re connected to the net, you’re concerned about computer security. Open ports on your computers are invitations to criminal hackers and other evildoers to wreak havoc - and if you don’t protect yourself, no one else will. Your ISP and the cops have better things to do than chase hackers from Belarus who deleted the cosplay photos of you in your beard and Sailor Moon schoolgirl outfit. (That’s right, I know about that whole sordid affair).

The good news is that much like home security, it’s quite easy to lock the door. Test out those locks with a port scanner utility, which probes your computers for security holes.

Note: It should go without saying that your computer should be behind a firewall - a HARDWARE firewall. You traveling laptop types may have to settle for a less-than-bulletproof software firewall on the road.

The Nmap port scanner

Originally a UNIX utility, the Nmap port scanner utility has been ported to most other operating systems. It’s available as a Windows .exe, and also runs on Macs. I run it on my linux and BSD machines because of the scripting features available there, but you can accomplish the same thing through Lifehacker favorite Cygwin.

Download and install Nmap. If you’re running Cygwin, just move the nmap executable into your c:/cygwin/bin folder (or wherever cygwin is located on your machine.) Parts of this article will assume that you’re using Cygwin, but you can probably get away without it. Pardon the instructus interruptus, but I think here’s a good place to tell you something. You could theoretically get in trouble with Nmap. Most likely not felony or even misdemeanor-level trouble, but you could very easily accidentally annoy people who you really don’t want to annoy - so do be sure to point Nmap at your own machines, and no one else’s. Back to the tutorial. Once Nmap’s installed, you’re ready to scan your network. Start up a Cygwin bash shell and type the following: nmap -v -A 192.168.1.1-255 This command will scan your entire subnet. The actual address range used might be different depending on your router or the way you have it set up, but for most home routers, this is the default. The last field, 1-255, tells Nmap to scan all machines on your network. The -v makes the output more verbose and is probably all you will need. If you want much more information, use -vv or -vvv, but you probably won’t need that level of detail. The -A option causes nmap to scan for OS type. If you’re running a large network, you might want to run this every day or every hour to detect any new machines popping up on the network. This command line should produce some output right away, and then produce more output at intervals. It may take a little while depending on how many machines are on your network. Now, type the same command again, but this time pipe it to a file, like so: nmap -v -A 192.168.1.1-255 > nmapoutput.txt The “>” is the UNIX redirect symbol. If you don’t know how to use UNIX pipes and redirects, it’s really something you should learn, but you don’t really need to understand how they work for the purposes of this article. (See also a primer on useful Cygwin commands for more on Unix redirects and less.) Open nmapoutput.txt in your text editor, or just use “less:” less nmapoutput.txtIt’s possible you’ll see very little here. If your systems are locked down, this part will be pretty boring. In my case, I’m running a webserver on my home network, so I saw this line:

Discovered open port 80/tcp on 192.168.1.123

You might also see port 80 open on 192.168.1.1, which is most likely your router’s IP address. That’s normal, because it’s your router’s configuration port.

This first chunk of lines comes from nmap’s first probe pass, where it tries to tell which ports on which machines are open and listening. Next, it tries to find out what services are running on those ports. If you’re running a Windows machine on your network, you’re likely to see something like the following:

Interesting ports on 192.168.1.100:
(The 1671 ports scanned but not shown below are in state: closed)
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Interesting ports on 192.168.1.100: (The 1671 ports scanned but not shown below are in state: closed) PORT    STATE SERVICE 139/tcp open  netbios-ssn 445/tcp open  microsoft-ds

Now you’ll notice that nmap has dug a little deeper into what’s running on given ports. It does this by throwing data at them and analyzing what comes back. These are some of the services running.

Nmap has a pretty good list of normal services, and it should give you an idea of what’s running on your network. If you see something that comes up as “unknown” or otherwise looks strange or suspicious, check the port number through Google as well as some websites that have port databases, like this one.

IANA is the organization that programmers talk to when they want to introduce a new protocol. If the port you’re wondering about isn’t on this list, there’s a good chance there’s something shady about it.

If you do a Google search for a port, e.g. “port 27374,” you should be able to get a good idea of whether the service is legitimate or not.

Stop services from keeping a port open

A process that opens a port on your machine may be legitimate, but it might be something you don’t want. Let’s say you’re running a Bulletproof FTP server on your Windows machine that you forgot about and you don’t want anymore.

Choose Start -> Settings -> Control Panel -> Administrative Tools. Select Services. Scroll down in the list until you see the name of the service you want to close. Select it, change the startup type to “Disabled,” and click “Stop” to stop the service. Try to know what you’re doing here, because you could stop services required to keep your machine running.

Here’s some good information about closing services. (This isn’t my page, it’s a different Jason. But it’s good anyway.)

Nmap alternatives

If you don’t want to install anything, there’s a nice web-based scanner called Shields Up which will automatically probe all the service ports on your IP address as seen by the net. This is great, and important if you have a firewall, because you need to know what your network looks like from the outside. But if you have more than one machine in your network, you’re going to also want to know what ports are exposed on those machines, and since Shields Up and other similar services can’t see much past your firewall, you should install a scanner that runs on one of your local machines.

A windows-based application to do this is Angry IP Scanner (see screenshot at the top of this article). It’s easy to use, fast and efficient, and if you need to do something immediately, you wouldn’t really need to look any farther than this.

I hope this article gave you a basic idea of how to secure machines on your network. While running a hardware firewall and closing all unnecessary ports inside your network is the bare minimum, it will keep out all but the most determined attacks, and scanning periodically will let you know if you’ve somehow installed malware or become infected with a trojan.

Jason Thomas is a writer and computer professional living in the Twin Cities.

[More articles like this..]

To excuse a pun, this little gold mine, is the last article I’ve come accross on blog.zonelabs.com, them having referenced my article in their most recent post, I did my bit by contributing to this excellent article and I felt my reply was long enough to include in my blog.

A friend told me her credit card bill had more than $10,000 in charges from Google AdWords.

What I’m guessing happened is:

• Someone got her credit card number somehow.
• Set up an AdWords account using her number and name.
• Created ad campaigns and offered to pay extremely high amounts of money for click throughs.
• Set up “dummy” pages with Google AdSense and content that would display their ads.
• Got to work getting those ads clicked numerous times

To which I posted this comment:

I felt that both Susie and I raised some perfectly valid points here, and government agencies might want to look into the security restraints and loopholes of such money laundering operations. It’s particularly difficult to catch these guys, specially if they are operating on middleman basis. What this means is, these people are either being funded privately beforehand, or are “rogue” hackers, looking to direct themselves extra pagerank, hits, or even turn laundered money into clean money as if by magic - and if that isn’t worth looking into, what the hell is?