Some Documents of File Specifications/Formats
Here are some documents to help you understand some file formats/headers, for file format fuzzing purpose:
WAVE PCM soundfile format (RIFF)
ZIP File format specification
MPEG File format
GZip File format
SWF File format
TIFF File format
EXIF File format
ID3Tag File format (v.2.3.0)
PNG File format (v1.2)
PDF File format
PLS/M3U File format
RAR File format
(to be updated…)
Remove Comments from Configuration
Sometimes when you want to config something, it contains the comments from the developer which will help us to figured out which options of arguments will be used. But if you are already familiar with the configuration, comments are so annoying, so here is how to eliminate them (using apache2.conf as example):
sed '1p; /^[[:blank:]]*#/d; s/[[:blank:]][[:blank:]]*#.*//' /etc/apache2/apache2.conf | more
or write it to a file:
sed '1p; /^[[:blank:]]*#/d; s/[[:blank:]][[:blank:]]*#.*//' /etc/apache2/apache2.conf > /etc/apache2/apache2.conf.nocomments
Use it with caution, always review it before use it. You’ve been warned!
Malware… oh malware
- Process Monitor
- Mandiant Red Curtain (more…)
Day-to-day system administration
Backups of your system and all the data stored on your system are absolutely essential if you expect to be able to recover from a disaster. What kind of disaster? It might be a natural disaster, such as a fire or a flood. It might be a crime, such as a system intruder’s meddling, vandalism of your computer room, or theft of a computer or a disk. It might be a hardware or software failure or a user error (e.g., deleting the latest version of a document or the latest release of some development software). Whatever the cause, and whatever the extent of the damage, you will be able to recover eventually if you have recent backups of all your system data. In a PC environment, many system administrators discover that critical documents on a user’s machine often disappear when a disk fails. They can help protect against this by providing personal folders in common space on a server. Users are responsible for the contents of their own hard disks. Failure to have these files in a public storage area is not an excuse at your performance review, when a PC failure necessitates rework.
There are many systems for backup. You should do it regularly. Many organizations have well-defined rules about performing backups; if you don’t follow the rules, you’ll lose your job. But many other organizations have much looser policies. The scheduling and the extent of backups is far more discretionary. What does it mean to perform regular backups? That’s an organizational decision: it depends on the number of users in your system, the volume of work, and many other variables. Many organizations perform a full backup (of every file in the system) every night. Others may do a full backup only once a month, or more commonly, once a week, but they do an incremental backup (of everything that’s changed since the last full backup) every day. The best rule of thumb is to back up frequently enough that you can afford to recreate the work that may be lost since the last backup.
Like most security practices, however, backups have a cost associated with them. In this case, it is usually network bandwidth and server capability. You’ll need to schedule backups in less desirable parts of the day, so that they will inconvenience the fewest users. If your organization operates 24/7, it may be necessary to host redundant systems, so that one can be backed up while the other is live. Fortunately, improvements in fault tolerance, using technical means to limit any single points of failure, and clustering technology, which entails running several computers in parallel to spread the load and provide redundancy, make this economically feasible. It is not necessary for the redundant system to just sit there when it is not being used, it can share the load of normal processing as well.
Hardware and Software Security Tools
Fortunately, today there’s a good variety of hardware and software tools designed to prevent network incursion. As I mentioned previously, one of the most important is the firewall. A firewall monitors communications that pass through it, and it can take action against users that seem to be abusing or attacking the network. In some cases, the firewall monitors the Internet Protocol (IP) address of a packet, and if it is not found on a safe list, or is discovered to be on a “deny entry” list, it deletes the packet from the transmission stream, and usually any that follow from the same unauthorized addresses.
A firewall can also monitor the ports used by a communications session. Each protocol has a unique combination of ports available to it over which to communicate information. Using ports allows several different conversations to take place using the same IP address. However, the presence of communications from unexpected ports may indicate that an attack is underway. A firewall can also silence packets to and from undesired ports.
An intrusion detection system (IDS), on the other hand, usually listens to the circuit, taking note if any unusual activity is taking place. For instance, a certain user that constantly connects to a little used disk drive may be storing information there, either for later theft, or perhaps to be used as a tool in a future incursion. Intrusion detection systems usually have large libraries of attack signatures, that is, lists of the steps attackers typically take or have taken in the past to accomplish some attack. If the pattern of these attacks is repeated in a system being monitored by the IDS, the IDS will likely stop the transaction if it can, and place a page or call to an administrator informing of the attempted attack.
A honeypot, sometimes called a honeynet, is a decoy. It is usually placed in an unprotected portion of the network as a lure to attackers. While unauthorized users are checking out the honeypot, their movements are recorded. This helps further develop the library of attack signatures.
Penetration testing, or pentesting is a programmed, usually automated series of attacks that administrators carry out on their own network. The purpose of pentesting is to locate overlooked vulnerabilities. These are then patched, and communications proceeds. Pentesting may be performed by network personnel or by outsiders contracted for the purpose.
Performing a Security Audit
It’s a good idea to check on the security of your system by performing periodic security audits. A security audit is a search through your system for security problems and vulnerabilities.
Check your system files and any system logs or audit reports your system produces for dangerous situations or clues to suspicious activity. These might include:
Accounts without passwords
Accounts with easily guessed passwords
These might include passwords selected by users or passwords associated with administrator or guest accounts. In addition, most attackers are well aware of the passwords and usernames that come with equipment from the factory. Change these immediately.
Long lists of privileges for individual accounts sometimes create confusion. Group management of accounts can simplify security administration by allowing precise, predetermined groups of privileges to be assigned to groups such as accountants, HR, engineering, and so on, in accordance with the organization’s security policy.
These include accounts of users who have left your organization, have gone on vacation, or have moved to a different group or system.
Be sure these are accounts you have assigned and not accounts that an intruder has created.
Many operating systems create “Everybody” or “Guest” or even “Administrator” accounts automatically. In some cases, these accounts are disabled, but an attacker may be able to make them live, or use them as a foothold to deeper penetrations. For this reason, some administrators delete them or provide more subtly labeled replacements.
Recent changes in file protection
An intruder may have given special privileges to certain programs or may have made system files accessible to ordinary users. Individual users may have carelessly made their files accessible to everyone in the system. Monitor logs for privilege escalation to make sure attackers aren’t gradually trying to obtain administrative ability.
Suspicious user activity
Basically, this means that a user (or someone using that user’s account) is acting in an unexpected wayfor example, someone logs in from a number of different terminals, logs in at odd times of the day or the week, runs protected system programs, transmits or dials out an unusual amount, uses new networks, etc.