OPSWAT Gears – Manage your devices’ security remotely

Have mobile devices, servers and need to monitor these devices remotely?  OPSWAT Gears allows you to monitor your computers remotely – update antivirus software, discover compromised devices, manage threats and more.

150 FREE Microsoft eBooks – largest collection ever

150 FREE Microsoft eBooks – largest collection ever

Thanks to Jonathan for remembering to email me the latest Microsoft Blog link about free ebooks.

EBoooks link

Given the amount my readers enjoy these posts and these free resources, I am sharing another post this year with over 130 more FREE eBooks, Step-By-Steps, Resource Guides, etc., for your enjoyment. Plus I’m also including links to the free eBooks I shared in the past so you have all of them here in one single post, making this my single largest collection EVER (Almost 300 total)! Please enjoy these FREE eBooks and resources, and be sure to pass this along to your friends, colleagues, peers, and others who you think would benefit from and enjoy them. After all, wouldn’t it be fun if we could surpass the 1,000,000 download mark within just one week again? ~Eric Ligman, Microsoft

 

 

Can Hackers Steal Secrets from Reflections?

I encourage my students to go over and visit Rick, Paul and Bill’s blog.  In 2009, Rick posted a link to a Scientific American article on How Hackers Steal Secrets from Reflections.   Great Article.  With our students going through some of the best security courses available, these links are very valuable.

Although we used a mirror for this example, we have tried glasses and other reflective materials and you can take a picture and reverse the photo.

Reverse Image

Reversed with Irfanview

Corrected with IRFanview

Free-Windows Server 2012 R2 Technet Document -7970 pages

Want to know how to be an administrator of Windows Server 2012 R2?  This 7900+ page document has everything you want to know about Microsoft’s latest server.  Included in this massive manual is-

  • Technical Scenarios
  • Install and Deploy Windows Server
  • Migrate Roles and Features to Windows Server
  • Secure Windows Server
  • Manage Privacy in Windows Server
  • Support and Troubleshoot Windows Server
  • Server Roles and Technologies
  • Management and Tools for Windows Server

Download Microsoft Windows Server 2012 R2 and Windows Server 2012 TechNet Library Documentation here.  111 mb

Microsoft also offers free virtual labs (Virtual Microsoft Server from your browser).  Coupled with this 7900+ page manual, this is an excellent resource to learn Windows Server 2012.

If you want to print this, it will take approximately 16 reams of paper and 3.25 high capacity laser toner cartridges.  Of course once you print it, you’ll have your first 32″ wide book.

How to audit a folder in Windows

When networking shared resources, you should audit the individual folders you are sharing out.  This allows you to ‘see’ who is using the folders and how files are being manipulated.

How to Audit User Access of Files, Folders, and Printers

The audit log appears in the Security log in Event Viewer. To enable logging:

  1. Click Start, go to the Control Panel, click on Performance and Maintenance, and  click Administrative Tools.
  2. Open the Local Security Policy.
  3. In the left pane, double-click Local Policies.
  4. Click Audit Policy to display the individual policy settings.
  5. Click Audit object access.
  6. Select the Success check box on items you would like to monitor.
  7. Select the Failure check box on items you would like to monitor.
  8. You can select both check boxes to audit Success and Failures.
  9. Click OK.

How to Specify Files, Folders, and Printers to Audit

Once you enable auditing, you can specify the files, folders, or printers that you want audited. :

  1. Locate the file or folder you want to audit. To audit a printer, locate it by clicking Start, and  clicking Printers and Faxes.
  2. Right-click the file, folder, or printer you want to monitor (audit) , click Properties.
  3. Click on the Security tab, and  click the advanced button.
  4. Click on the Auditing tab, and  click on add.
  5. Clicking Advanced, and  click Find Now -navigate to the person or group you would like to audit.
  6. Click OK.
  7. Select the Successful or Failed check boxes (select the ones you want)click OK.
  8. Click OK,  click OK.
You can now look under the Event Viewer and ‘see’ what users are doing.
Remember when creating a VPN or sharing a folder- you always want to audit a folder or file.

Security Onion- IDS, NSM, and log management

What if you want an IDS system that monitors malicious activities and provides you with logs (Network Security Monitoring) and graphs to help protect your network?  And what if you want an easy setup that provides you with information that will help you – something with a GUI interface?   Security Onion can provide you with the defacto IDS system – Snort, Squert and a ton of other tools to help you.  While there are options, Security Onion offers the choice of Snort (http://snort.org/) or Suricata (http://suricata-ids.org/).

The setup below shows a test system using VMWare with 2 processors and 2 Gb of RAM if you want to try it out.   While the bare minimum is suggested to be 3 Gb, a production environment should have 8- 128 Gb of RAM, a ton of hard drive space for logs and two network cards.  One network card for management and one to sniff.

Security Onion’s ISO can be downloaded from SourceForge.   While there is a ton of how-tos on the internet about Security Onion, there is a great deal of information on there blog located here.

Here’s a simple setup I did at home to try out Security Onion.  Using VMware’s Player (non-commercial use).  If you plan on trying Security Onion or deploying it in a production environment, you should use the commercial version or have a system that supports the minimum requirements.

menuinstallliveLive Runninginstalling rullinstalling driveinstalling drive erase  Installing files after time keyboard finished

 

Once you restart, you’ll need to run setup again to enter an email address for squert and setup a password. Once this is done, you can open the shortcuts on the desktop or use your host computer to login. Once this is complete, login to Snorby’s url.

While snort is running, Snorby will present a dashboard.  You may be surprised to see no threats once you login.  You can expedite this process by running NMap (Zenmap against the virtual machine) if you want to see threats.

What is Snorby? “ Snorby is a web application interface to view, search and classify Snort and Suricata alerts and generate various types of reports, such as most active IDS signatures, most active sensors, and top source and destination IP addresses.”  more information.
2 snorby

Once you run NMap, click on More Options in the right corner and update the Cache

2a cache update

Give Security Onion just a few seconds and refresh the screen.  You’ll see the events logged.  This will visually show you not only how  many threats were ‘ seen’ on the network but will categorize and graph them.

3 snorby 3 severity

Clicking on the events will show each event and give you the option to categorize unknown threats or to reclassify threats.
4 nmap to test

Logging in to Squert allows you to see threats along with maps and information from threats.

5 squert

Squert map

ELSA – allows you to query and look for information.

6 Elsa

What does NMap show when Security Onion is scanned?

7 is it logging

 

 

 

Introduction to Security Onion

Security Onion Blog

 

The dangers of using outdated software


 Outdated software contains security flaws which cybercriminals can use as avenues to infiltrate the corporate network.

The dangers of using outdated software.

Defending your network with Snort for Windows

SNortlogo
When you hear about Snort, the De facto of Intrusion Detection Systems, you think of Linux.  Snort offers a Windows setup and signatures that can be used with any operating system.

Snort should be a dedicated computer in your network.  This computer’s logs should be reviewed often to see malicious activities on your network.

Steps to install Snort on Windows :
1. Download Snort from the Snort.org website. (http://www.snort.org/snort-downloads)
2. Download Rules from here. You must register to get the rules. (You should download these often)
3. Double click on the .exe to install snort.  This will install snort in the “C:\Snort” folder.
It is important to have WinPcap installed
4. Extract the Rules file. You will need WinRAR for the .gz file.
5. Copy all files from the “rules” folder of the extracted folder.  Now paste the rules into “C:\Snort\rules” folder.
6. Copy “snort.conf” file from the “etc” folder of the extracted folder.  You must paste it into “C:\Snort\etc” folder. Overwrite any      existing file.  Remember if you modify your snort.conf file and download a new file, you must modify it for Snort to work.
7. Open a command prompt (cmd.exe) and navigate to folder “C:\Snort\bin” folder. ( at the Prompt, type cd\snort\bin)
8. To start (execute) snort in sniffer mode use following command:
snort -dev -i 3
-i indicates the interface number.  You must pick the correct interface number.  In my case, it is 3.
 -dev is used to run snort to capture packets on your network.

To check the interface list,  use following command:
 snort   -W
Finding an interface

You can tell which interface to use by looking at the Index number and finding Microsoft.  As you can see in the above example, the other interfaces are for VMWare.  My interface is 3.

9. To run snort in IDS mode, you will need to configure the file “snort.conf” according to your network environment.
10. To specify the network address that you want to protect in snort.conf file, look for the following line.
var HOME_NET 192.168.1.0/24  (You will normally see any here)
11. You may also want to set the addresses of DNS_SERVERS, if you have some on your network.

Example:

example snort
12. Change the RULE_PATH variable to the path of rules folder.
 var RULE_PATH c:\snort\rules

path to rules
13. Change the path of all library files with the name and path on your system. and you must change the path    of snort_dynamicpreprocessorvariable.
C:\Snort\lib\snort_dynamiccpreprocessor
You need to do this to all library files in the “C:\Snort\lib” folder. The old path might be: “/usr/local/lib/…”. you will need to    replace that path with your system path.  Using C:\Snort\lib
14. Change the path of the “dynamicengine” variable value in the “snort.conf” file..
Example:
 dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll

libraries

 

15 Add the paths for “include classification.config” and “include reference.config” files.
  include c:\snort\etc\classification.config
include c:\snort\etc\reference.config
16. Remove the comment (#) on the line to allow ICMP rules, if it is  commented with a #.
 include $RULE_PATH/icmp.rules
17. You can also remove the comment of ICMP-info rules comment, if it is commented.
 include $RULE_PATH/icmp-info.rules
18. To add log files to store alerts generated by snort,  search for the “output log” test in snort.conf and add the following line:
output alert_fast: snort-alerts.ids
19.  Comment (add a #) the  whitelist $WHITE_LIST_PATH/white_list.rules and the blacklist

Change the nested_ip inner , \  to nested_ip inner #, \
20. Comment out (#) following lines:
#preprocessor normalize_ip4
#preprocessor normalize_tcp: ips ecn stream
#preprocessor normalize_icmp4
#preprocessor normalize_ip6
#preprocessor normalize_icmp6

21. Save the “snort.conf” file.
22. To start snort in IDS mode, run the following command:

snort -c c:\snort\etc\snort.conf -l c:\snort\log -i 3
(Note: 3 is used for my interface card)

If a log is created, select the appropriate program to open it.  You can use WordPard or NotePad++ to read the file.

To generate Log files in ASCII mode, you can use following command while running snort in IDS mode:
snort -A console -i3 -c c:\Snort\etc\snort.conf -l c:\Snort\log -K ascii

23. Scan the computer that is  running snort from another computer by using PING or NMap (ZenMap).

After scanning or during the scan you can check the snort-alerts.ids file in the log folder to insure it is logging properly.  You will see IP address folders appear.

Snort monitoring traffic -

traffic

Snort’s detailed report when scanning has stopped -

termination

 

Log files -

logs

 

 

Note:  Read the setup and configuration of Snort from Snort.org.  While this is a demo, Snort can be configured thousands of ways to detect and alert you in the event you have malicious activity on your network.  Downloading signatures often is extremely important

How to guard your wireless network and see intruders

100% credit goes to Bill Mullins for sharing this information. (BillMullins.wordpress.com).

Softperfect has some of the best freeware for Windows.   With Netscan you can see devices on your network and find information about the  devices.  Now with their software “WiFi  Guard”, you can use a device on your network and find the devices that are attached to it.

While you should take precautions to secure your wireless network, is someone accessing your network without your knowledge?

Installation is fast and easy.  Simply follow the wizard and make sure you run the software at startup.

Scan

Once you install the software, select the adapter and scan your network.  Next double click on known devices and select “I know this device.”  Let the software run and periodically scan your network.   If you find a device connecting to it,   locate the device and remove it from the network or take action to prevent unknown devices from connecting.

I Know

The software is designed to run on Apple, Windows or Linux.

Note: The above pic is from a lab environment and the addresses and macs do not represent real machines or a production environment.

Protecting your network by pen testing it

This post is for educational purposes and any use of these tools against a network without explicit permission could be illegal.   Metasploit is designed to identify weaknesses in networks and hardware/software on a network.  Do NOT use metasploit for other reasons.

Want to protect your network and the computers in your network?  You can get updates for your operating systems (Linux, Mac, iOS, Android, Windows or whatever) along with updates for third party programs yet you can still be unsecure.    When updating these products, you also have to remember firmware and updates for wireless devices, access points, bridges, firewalls, routers, switches, SCADA devices, robots, mobile devices, printers and any device on your network.

Metasploit

http://www.metasploit.com/download/

Metasploit Community is free and allows for a free scan of your network or server. Although limited (Try Pro for details and Brute Force), Metasploit Community is a first step in finding open services and ports on your operating system, hardware devices such as routers and other devices.   The trick to installing Metasploit is to disable your antivirus or make exceptions to what your antivirus finds.   You should truly install the software inside of a VM (Virtual Machine) so that your computer remains protected.

You can use Metasploit to protect your network by ‘seeing’ what a hacker or malicious person would see.  Truly for network professionals and auditors, this software can help you identify services, ports and weaknesses in your network.

There are several versions of Metasploit – Community, Pro, Express and Framework (Compare Editions)

Metasploit     Metasploit Two

Metasploit Scan Complete     metasploit Hosts

Metasploit Services After Scan

The above scan was in a controlled lab.  Malicious scanning of networks may be illegal.  Read  Penetration Basics on Metasploit’s website.

Tutorials (Videos)

Your business and home needs a firewall…why?

So what happens when you install a firewall and make sure all operating systems on your home network are fresh installs?

craziness

 

You’ll probably see hits from foreign and U.S. IP addresses trying to make connections to your computers, phones and other devices on your network.   You’ll also notice common port numbers in the above log.  So what would happen if any of the services and ports were open?  It could result in the loss of data.

What should you do?  Install a hardware SOHO firewall and keep your OS firewall on.  While there are tons of other precautions you also need to take, ultimately this is a form of protection most home users and business users fail to implement.

Credit: Chris Davis

What should you do with an old computer? Create a home router/firewall!

ITX-motherboards can often be found in older computers from garage sales or thrift stores.  What is the practical use for these motherboards or older computers?

Here’s a small project that involves protecting your home.

After finding an ITX motherboard and gathering extra parts from broken laptops and computers, this project will put the software SMOOTHWALL Express onto the computer to make a mini firewall.  Total cost?

  • $22 250watt power supply
  • $5 Gearhead mini keyboard

0306141659a

Base processor
Athlon 64 X2 (B) 5400+ 2.8 GHz (65W)
800 MHz front side bus
Socket AM2

Chipset
GeForce 9100

Motherboard

  • Manufacturer: Pegatron
  • Motherboard Name: APX78-BN
  • HP/Compaq motherboard name: Nutmeg-GL6E

Power supply
250W

Memory
240 Pin DDR2 PC2-6400 MB/sec
4GB
Hard drive
120 GB SATA 6G (6.0 Gb/sec)
7200 rpm

Video Graphics

Integrated on motherboard (NVidia 9100)

Sound/Audio
High Definition 6-channel audio
ALC 888S chipset

Network (LAN)
Integrated 10/100 Base-T networking interface
Added Broadcom wireless to create a wireless router

External I/O ports connections – 6  USB

Expansion slots

PCI Express mini card socket – added Broadcom Wireless
PCI Express x16
PCI Express x1

Additions-

  • 2″ Fan for Chipset

In the video below, HAK5 shows just how to make a motherboard like this into a nice home router/Firewall.