Sorry for the Blog Downtime

by kriggins on February 11, 2010

in Announcement, Uncategorized

I apologize for the downtime today. It was entirely my fault.

Things should be okay now.



I have published my latest Backtrack 4 how-to.

Backtrack 4 - Bootable USB Thumb Drive with "Full" Disk Encryption

This is a step-by-step guide showing how to create a encrypted bootable Backtrack 4 USB thumb drive. I put quotes around full in the title because technically the whole disk isn't encrypted.

We use LVM and the native encryption routines included in Ubuntu 8.10 to encrypt all partitions except for a small boot partition that never contains any data.

This how-to is a departure from the persistent install method I have documented in the past. It also means we don't have to mess with Truecrypt or do the home directory shennanigins we were going through. I will be incorporating it into the main how-to in the near future.

As always, I am interested in your thoughts and feedback.



I was looking at my checking account on-line a few days ago and saw something that sparked this blog post.Fingerprint

My bank has a very handy service where they scan the checks we write (yes, checks are still used in some cases :)) and you can view them online for a limited time. Very cool. Nothing wrong with that, right?

I didn't think so until recently.

We wrote a check to an individual recently and they cashed it at their bank. Somewhere along the line a fingerprint was put on the check, a very well done, clean, and clear fingerprint. I'm assuming that the fingerprint belongs to the individual who the check was written to, but I have not verified that.

First, why is the bank taking a finger print? Seems a bit extreme to me.

Second, why are they sticking it on a check that they know is going to be out of their control at some point?

This seems like a recipe for disaster to me. What do you think?


Reblog this post [with Zemanta]


There is a new post up on the RSA Security Blogger Meetup blog with a few more details and an action that needs to be taken if you are interested in attending. Go check it out.

Things Are Shaping Up



Just a quick note to let you know that the Backtrack 4 USB How-to with Persistent Changes and Nessus has been updated for Nessus 4.0.1.

That is all.



Over the course of the last week or so, there has been a great thread on the PaulDotCom mailing list related to getting started in information security. Paul has posted a nice article that gathers some of the comments together.

The time spent reading the article and then the actual thread is well spent for both those seeking to enter the market and for those already in it. For those seeking to become information security professionals, it offers great advice and tips. For those who are already practicing security professionals, it provides you with a great set of answers for when you get asked the question "How do I get started in information security?"

The post is here.

By the way, the mailing list is a great resource in and of itself. You should check it out too!



Securing our Government Networks

Lt. Gen. Keith B. Alexander is the head of the NSA.

States that the NSA does not want to be in charge of information security for the nation.

Speaking to the data collection issues recently. They self-report when they make a mistake outside of their mandate.

Going to cover history of NSA, where they are today, talk about the networks the threat, the way forward, talk about Mellissa Hathaway and what they will be talking about yesterday.

Talking about history now, Enigma. It was a game changer. Being able to break it was an even bigger game changer.

How did we build NSA and why. Protect our secrets and finding out there. How do we do this while balancing liberty and security. First NSA charter 1952.

The issue he states that the networks were point-to-point. Not any longer as we all know. Everything is connected.

Moving from a medium carrying communications to a place where America stores its wealth and treasure.

"Information, Money, Medical Records..."

Some interesting stats on current cyber space.

The threat is real.

Points out the Estonia incident where they are significantly impacted by a concerted effort to disrupt its online abilities.

Increasing instances of cyber warefare.

Stategy: Team to protect classified & national security networks. Learn to protect against highest threats. Share lessons learned, technology, training with DHS; enhance shared situational awareness. Be prepared to help protect the nation during key events.

Defending important networks. It has to be a team of both governmental and civil organizations.

Closing remarks: Working together works better. We now need to figure out how to secure it, not at the risk of civil rights and privacy, but for the good of the nation. NSA is a part of doing that.

That's a wrap for the keynotes today.

Reblog this post [with Zemanta]


Setting up TrueCrypt on Backtrack 4

by kriggins on March 24, 2009

in Uncategorized

In my previous post, we setup an encrypted private directory to address being able to keep the data from a pen test safe. I also found that TrueCrypt works great on Backtrack 4. It also addresses the issue of file and directory names not being encrypted. Of course the downside is that the volume must be manually mounted each time or at least I haven't worked out how to automatically mount it yet.


  1. You have already created a bootable Backtrack 4 thumb drive with persistent changes.
  2. You are using Backtrack 4 as root.
  3. The following is performed with a windows manager active, e.g. KDE.
  4. You are familiar with TrueCrypt

Installing TrueCrypt

Installing TrueCrypt is almost as easy as setting up encrypted private directories. The following steps will get TrueCrypt installed and ready to be configured.

First we need to download the install package. I picked the 'Ubuntu - x86 .deb' option on the TrueCrypt download page. I used Firefox and saved the file to root's home directory.

Next execute the following commands from a terminal session in root's home directory:

tar zxvf truecrypt-6.1a-ubuntu-x86.tar.gz

chmod +x truecrypt-6.1a-setup-ubuntu-x86


At this point, you will have a gui install window with a couple options on it. Click on 'Install TrueCrypt' and follow the prompts.

Now it's time to setup up our TrueCrypt volume. To do so, either from the 'run' command option on the menu or from a terminal session execute truecrypt. You should end up with a window like the following.


The next step is to create our encrypted volume. We do that by clicking on the 'Create Volume'' option above and using the following screen.


Follow the prompts and create a volume. Once that is done you can mount the volume and begin using it.

As always, feel free to leave a comment with your thoughts and/or questions.


{ 1 comment }

In the last post in our series, we spent some time looking at the definition of asset. In the post previous to that, we described the system we are assessing and a presented a diagram that shows the system and its architecture.

In this post, we are going to start the discussion about threats, but first, a little more information about our scenario.

Phil, in a comment on the last post in this series, said the following.

I suggest that you create a data flow diagram (DFD) and then map out how the data flows.

After saying a) I don't know how and b) we don't need one (not in those exact words :)), I got to thinking about it a bit more and decided he was right. A data flow diagram will be helpful. So a quick study of DFDs later, here is my feeble attempt at providing one for us to use.

Oblivia Tax Rate System Data Flow Diagram (DFD)

Oblivia Tax Rate System Data Flow Diagram (DFD)

You will probably quickly see where we will be focusing our time during our assessment.

Anyway, let's talk about threats. First, from the Introduction to FAIR: Risk Landscape Components:

As I [Jack Jones] mentioned in the Bald Tire section, threats are anything (e.g., object, substance, human, etc.) that are capable of acting against an asset in a manner that can result in harm. A tornado is a threat, as is a flood, as is a hacker. The key consideration is that threats apply the force (water, wind, exploit code, etc.) against an asset that can cause a loss event to occur.

Fairly straight forward. Basically, we are looking for those things that, when they apply force against our asset, can cause damage or loss. Well, even in the simplistic scenario we are looking at, that list is as long as my arm. If that's the case, how to know which threats we should focus on?

Funny you should ask. Jack goes on to talk about threat communities, "Subsets of the overall threat agent population that share key characteristics [or traits]", and threat characteristics which are used to profile threat communities. We will take a deeper look at both in the next post of this series.

As always, I am really interested in your thoughts. I read and take to heart every one that is left, so please join the conversation!


Reblog this post [with Zemanta]


(IN)Secure Magazine 20 is Out

by kriggins on February 24, 2009

in Uncategorized

One of my favorite information security magazines is (IN)Secure. The folks at Help Net Security put out a consistently great publication and the price is right, free. The March edition as published today. You can get it here. Below is a partial list of the articles in this edition:

  • Improving network discovery mechanisms
  • Building a bootable BackTrack 4 thumb drive with persistent changes and Nessus (by me)
  • What you need to know about tokenization
  • Q&A: Vincenzo Iozzo on Mac OS X security
  • A framework for quantitative privacy measurement
  • Why fail? Secure your virtual assets
  • Phased deployment of Network Access Control
  • Web 2.0 case studies: challenges, approaches and vulnerabilities
  • ISP level malware filtering
  • Q&A: Scott Henderson on the Chinese underground