Check out my page pyProjects for more details

Go on.. give it a whirl

Cheers

I created this PCI DSS mind map during my free time and thought it cud help the QSA’s describe the PCI to any client.

>>>Link to image<<<

Cheers

Incident handling is a generalized term that refers to the response by a person or organization to an attack. An organized and careful reaction to an incident can mean the difference between complete recovery and total disaster.

Before we begin, let us give you one piece of advice. DON’T PANIC!

You’re not the first person this has happened to, and you certainly won’t be the last!

The first step in recovering any system from a compromise is to physically remove any network cables. However, it should be noted, that if the network cable is unplugged you may lose information about the attacker, you will not see active network connections. This of course is important if you wish to trace the miscreants, however your site security contacts may have policies forcing a disconnection after a break-in. Well your local security policies should contain information about any actions you need to take.

Next, you should take a notebook (a paper one, not electronic) as this will be used to take notes in. Write down any important details about the system, starting with the time and date, the IP address and name of the machine, the timezone that the machine’s clock is set to, whether the clock was accurate, patches that were installed on it, user accounts, how the problem was found, etc. If anything during the course of your investigation seems pertinent, jot it down.

Assessing the Suspicious Situation

To retain attacker’s footprints, avoid taking actions that access many files or installing tools.

Look at system, security, and application logs for unusual events.

Look at network configuration details and connections; note anomalous settings, sessions or ports.

Look at the list of users for accounts that do not belong or should have been disabled.

Look at a listing of running processes or scheduled jobs for those that do not belong there.

Look for unusual programs configured to run automatically at system’s start time.

Check ARP and DNS settings; look at contents of the hosts file for entries that do not belong there.

Look for unusual files and verify integrity of OS and application files.

Use a network sniffer, if present on the system or available externally, to observe for unusual activity.

A rootkit might conceal the compromise from tools; trust your instincts if the system just doesn’t feel right.

Examine recently-reported problems, intrusion detection and related alerts for the system.

Initial Security Incident Questionnaire for Responders

What is the nature of the problem, as it has been observed so far?

How was the problem initially detected? When was it detected and by whom?

What security infrastructure components exist in the affected environment? (e.g., firewall, anti-virus, etc.)

What is the security posture of the affected IT infrastructure components? How recently, if ever, was it assessed for vulnerabilities?

What groups or organizations were affected by the incident? Are they aware of the incident?

Were other security incidents observed on the affected environment or the organization recently?

If You Believe a Compromise is Likely…

Involve an incident response specialist for next steps, and notify your manager.

Do not panic or let others rush you; concentrate to avoid making careless mistakes.

If stopping an on-going attack, unplug the system from the network; do not reboot or power down.

Take thorough notes to track what you observed, when, and under what circumstances.

Windows Initial System Examination

Avoid using Windows Explorer, as it modifies useful file system details; use command-line.

Checks	Commands
Look at event logs	eventvwr
Examine network configuration	arp –a, netstat -nr
List network connections and related details:::	netstat –nao, netstat -vb, net session, net use
List users and groups	lusrmgr, net users, net localgroup administrators, net group administrators
Look at scheduled jobs	schtasks
Look at auto-start programs	msconfig
List processes	taskmgr, wmic process list full
List services	net start, tasklist /svc
Check DNS settings and the hosts file:	ipconfig /all, more %SystemRoot%\System32\Drivers\etc\hosts, ipconfig /displaydns
Verify integrity of OS files (affects lots of files!)	sigverif
Research recently-modified files (affects lots of files!)	dir /a/o-d/p %SystemRoot%\System32

Unix Initial System Examination

Checks	Commands
Look at event log files in directories (locations vary)	/var/log/, /var/adm/, /var/spool/
List recent security events	wtmp, who, last, lastlog
Examine network configuration	arp –an, route print
List network connections and related details	netstat –nap (Linux), netstat –na (Solaris), lsof –i
List users	more /etc/passwd
Look at scheduled jobs	more /etc/crontab, ls /etc/cron.*, ls /var/at/jobs
Check DNS settings and the hosts file	more /etc/resolv.conf, more /etc/hosts
Verify integrity of installed packages (affects lots of files!)	rpm -Va (Linux), pkgchk (Solaris)
Look at auto-start services	chkconfig –list (Linux), ls /etc/rc*.d (Solaris), smf (Solaris 10+)
List processes	ps aux (Linux, BSD), ps -ef (Solaris), lsof +L1
Find recently-modified files (affects lots of files!)	ls –lat /, find / -mtime -2d –ls

Define Communication Parameters

Which individuals are aware of the incident? What are their names and group or company affiliations?

Who is designated as the primary incident response coordinator?

Who is authorized to make business decisions regarding the affected operations? (This is often an executive.)

What mechanisms will the team to communicate when handling the incident? (e.g., email, phone conference, etc.) What encryption capabilities should be used?

What is the schedule of internal regular progress updates? Who is responsible for them?

What is the schedule of external regular progress updates? Who is responsible for leading them?

Who will conduct "in the field" examination of the affected IT infrastructure? Note their name, title, phone (mobile and office), and email details.

Who will interface with legal, executive, public relations, and other relevant internal teams?

Assess the Incident’s Scope

What IT infrastructure components (servers, websites, networks, etc.) are directly affected by the incident?

What applications and data processes make use of the affected IT infrastructure components?

Are we aware of compliance or legal obligations tied to the incident? (e.g., PCI, breach notification laws, etc.)

What are the possible ingress and egress points for the affected environment?

What theories exist for how the initial compromise occurred?

Does the affected IT infrastructure pose any risk to other organizations?

Review the Initial Incident Survey’s Results

What analysis actions were taken to during the initial survey when qualifying the incident?

What commands or tools were executed on the affected systems as part of the initial survey?

What measures were taken to contain the scope of the incident? (e.g., disconnected from the network)

What alerts were generated by the existing security infrastructure components? (e.g., IDS, anti-virus, etc.)

If logs were reviewed, what suspicious entries were found? What additional suspicious events or state information, was observed?

Prepare for Next Incident Response Steps

Does the affected group or organization have specific incident response instructions or guidelines?

Does the affected group or organization wish to proceed with live analysis, or does it wish to start formal forensic examination?

What tools are available to us for monitoring network or host-based activities in the affected environment?

What mechanisms exist to transfer files to and from the affected IT infrastructure components during the analysis? (e.g., network, USB, CD-ROM, etc.)

Where are the affected IT infrastructure components physically located?

What backup-restore capabilities are in place to assist in recovering from the incident?

What are the next steps for responding to this incident? (Who will do what and when?)

Key Incident Response Steps

Preparation: Gather and learn the necessary tools, become familiar with your environment.

Identification: Detect the incident, determine its scope, and involve the appropriate parties.

Containment: Contain the incident to minimize its effect on neighboring IT resources.

Eradication: Eliminate compromise artifacts, if necessary, on the path to recovery.

Recovery: Restore the system to normal operations, possibly via reinstall or backup.

Wrap-up: Document the incident’s details, retail collected data, and discuss lessons learned.

In the next article we will put some light on DDOS attacks.

Source from: http://zeltser.com

OWASP Testing guide – Mindmap

>>>>Link to Image (PNG)<<<<

>>>>Link to Mindmap (.mm)<<<<

Web Application Testing guide – Mindmap

>>>>Link to Image (PNG)<<<<

>>>>Link to Mingmap (.mm)<<<<

OWASP Testing guide – The guide

>>>Link to the guide <<<<

For the “dummies”

FTP or File Transfer Protocol is a standard client-server based network protocol used to copy a file from one host to another over a TCP/IP-based network, such as the Internet. FTP runs on port 20 (data) and 21 (control). For more info check out this link.

Multiplicity of FTP

1. TFTP – Trivial FTP

Trivial FTP defined in the 1980 is the most basic form of FTP. It is mainly used for booting router devices, and other devices that does not have any data storage medium. TFTP is still used for data transfer between hosts on a network, such as IP phone firmware or operating system images when a remote X Window System terminal or any other thin client boots from a network host or server. Some network based installation systems (such as Solaris Jumpstart, Red Hat Kickstart, Symantec Ghost and Windows NT’s Remote Installation Services) use TFTP to load a basic kernel that performs the actual installation. TFP is implemented on UDP port 69 and can only read and write files from/to a remote server. It cannot list directories or has any form of authentication. [More Info]

2. FTP over SSH

FTP over SSH (misnamed sftp) works by tunnelling FTP over SSH on port 22. Because FTP uses multiple TCP connections, it is particularly difficult to tunnel over SSH. With many SSH clients, attempting to set up a tunnel for the control channel (the initial client-to-server connection on port 21) will protect only that channel. This in turn affects the data channel, which will be setup through a new TCP connection, bypassing the SSH connection, and thus the data being transferred have no confidentiality, integrity, etc. [More Info]

3. Simple File Transfer Protocol

Simple File Transfer Protocol, as defined by RFC 913, was proposed to be an unsecure file transfer protocol with a level of complexity intermediate between TFTP and FTP. It was never widely accepted on the Internet, and is now assigned Historic status by the IETF. Many people confuse this protocol with Secure FTP, i.e. FTP over SSH (since Secure FTP is named sftp).SFTP runs on port 115, and often receives the initialism of SFTP. [More Info]

The protocol supports the following:

1. User id based login (User-id/Password combination)
2. Hierarchical folders
3. File Management (Rename, Delete, Upload, Download, Download with overwrite, Download with append)

4. FTPS – FTP over SSL

FTPS (commonly known as FTP Secure or FTP-SSL) is another extension to the FTP service that utilizes TLS (Transport Layer Security) or SSL (Secure Socket Layer) cryptographic protocols.

Do not confuse FTPS with SFTP (SSH File Transfer protocol, an incompatible secure file transfer subsystem for the Secure Shell (SSH) protocol) or Secure FTP (tunnelling FTP over SSH).

FTPS can be implemented in explicit or implicit modes. In explicit mode, an FTPS client must "explicitly request" security from an FTPS server and then step-up to a mutually agreed encryption method. If a client does not request security, the FTPS server can either allow the client to continue insecure or refuse/limit the connection.

In implicit mode, negotiation is not allowed for FTPS configurations. A client is immediately expected to challenge the FTPS server with a TLS/SSL ClientHello message. If such a message is not received by the FTPS server, the server should drop the connection.

In order to maintain compatibility with existing non-TLS/SSL aware FTP clients, implicit FTPS was expected to listen on the IANA Well Known Port 990/TCP for the FTPS control channel and 989/TCP for the FTPS data channel. This allowed administrators to retain legacy compatible services on the original 21/TCP FTP control channel. [More Info]

5. SSH File Transfer Protocol

Now, SSH File Transfer Protocol (sometimes called Secure FTP or SFTP) is a network protocol that provides file access, file transfer, and file management functionality over any reliable data stream like SSH. It was designed to be an extension to SSH v2 to provide secure file transfer capability, and still be usable with other protocols as well.

The protocol assumes that it is run over a secure channel, such as SSH, that the server has already authenticated (hence, no authentication feature provided by SFTP) and that the identity of the client user is available to the protocol.

Remember, SFTP is not FTP run over SSH, but rather a new protocol designed from scratch by IETF working group. It is also sometimes confused with Simple FTP.

As discussed, the protocol does not provide any client authentication or data security and expects the underlying protocol (SSH) to secure the channel. [More Info]

To conclude

Well, I know, even after reading this you would definitely have more doubts. Well, good. Now you have started to think. Read the blog once again, visit some other sites (for reference) and if you are able to find other FTP flavours do let me know.

To conclude, file transfer protocol has been implemented in five different formats, TFTP,  Simple File Transfer Protocol, FTP over SSH, FTPS and SSH File Transfer Protocol. So, next time you are running, especially SFTP, make sure you are using the secure form of FTP, and not Simple FTP.

OWASP recently published the Top 10 Web application security risks that every security engineer needs to test and software engineers need to lookout for and rectify.

Top 10 Web App Vulnerabilities

1. Injection
2. Cross-Site Scripting (XSS)
3. Broken Authentication and Session Management
4. Insecure Direct Object References
5. Cross-Site Request Forgery (CSRF)
6. Security Misconfiguration
7. Insecure Cryptographic Storage
8. Failure to restrict URL access
9. Insufficient Transport Layer Protection
10. Unvalidated Redirects and Forwards

Injection

Injection flaws occur when an untrusted data is sent to an interpreter as part of a command or query. Targets can include SQL, Operating systems, LDAP, etc. The attacker’s “evil” data can trick the interpreter into executing unintended commands (such as system SHUTDOWN) or accessing unauthorized data (Credit card numbers, username/password, etc).

Cross-Site Scripting (XSS)

XSS flaws occur whenever an application takes untrusted data (through user-input fields, such as textbox, dropdown menu, etc) and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts (e.g. capture session ID) in the victim’s browser which can hijack user sessions, deface websites, or redirect the user to malicious sites.

Broken Authentication and Session Management

Application functions related to authentication and session management are not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’  identities (e.g. obtain admin privileges, Bob steals Alice’s session and does malicious activity under Alice’s name, etc).

Insecure Direct Object References

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database key, direct access URL, internal IP address. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

Cross-Site Request Forgery (CSRF)

A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. E.g. consider you have logged onto a vulnerable (CSRF) online shopping site; you visit a product’s page you want to buy. The link on the product site sends you to the product owner’s website (attacker). The owner’s site would have a link (say, on an image) that, when clicked, in the background will make the request to the shopping site to automatically add his product to your shopping cart without your knowledge.

Security Misconfiguration

Nothing can be worse than configuration error. Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application. Some of the best resources for secure configuration can be found at NIST, SANS, CIS Benchmark

Insecure Cryptographic Storage

Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and
authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes. PCI provides strict guidelines for protecting credit card numbers, CVV numbers; at the application level, in-transit and on-storage. Additionally, a coder can implement strong cryptographic functions using AES, 3DES 128 bit, SHA1 instead of MD5, etc.

Failure to Restrict URL Access

Many web applications check URL access rights before rendering protected links and buttons.
However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway. For example, after logging into a website, the URL reads, www.abc-website.com/user_account.html. Now, an attacker can try putting www.abc-website.com/admin_account.html, which could provide him the admin page which should be restricted.

Insufficient Transport Layer Protection

Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly. E.g. using insecure secure channel like SSLv2, TLSv1; using weak encryption ciphers like 40bit RC4, 56 bit DES, etc. Web admins can verify the strength of their SSL certificates using the site www.ssllabs.com.

Unvalidated Redirects and Forwards

Web applications frequently redirect and forward users to other pages and websites, and use
untrusted data to determine the destination pages. Without proper validation, attackers can
redirect victims to phishing or malware sites, or use forwards to access unauthorized pages. Software coders should try and avoid using redirects as much as possible. If not, try not to include any user data for calculating redirects; always check if the user-provided value exists and the user is permitted to view the provided URL.

[For more information visit www.owasp.org or download OWASP Top 10 now]

Source [OWASP.org]

So, now I will share the same steps I followed that will ensure you can install Office 2007 on Ubuntu 9.10. Please do share your experience with me.

How To Install

First of all, you have to install a version of wine after v1.1.10 as older Wine releases will not work.

Step 1. Installing Wine:

wget -q http://wine.budgetdedicated.com/apt/387EE263.gpg -O- | sudo apt-key add –
sudo wget http://wine.budgetdedicated.com/apt/…t.d/hardy.list -O /etc/apt/sources.list.d/winehq.list
sudo apt-get update
sudo aptitude install wine

A .deb package can also be downloaded from http://wine.budgetdedicated.com/  please keep in mind that Ubuntu versions older than Hardy are no longer being updated.

Step 2. Download Winetricks

wget http://www.kegel.com/wine/winetricks

Step 3. Install Cabextract to run the Winetricks smoothly

sudo aptitude install cabextract

Step 4. Run Winetricks

sh winetricks

In the Winetricks window, install each of the following *individually*, which means check & install one, then re-run Winetricks and do the next:

• dotnet11
• gdiplus
• vb3run
• vb4run
• vb5run
• vb6run
• msxml3
• msxml4
• msxml6
• riched20
• riched30
• vcrun6
• Also, install dotnet20, dotnet30 and dotnet35 which can be download from Microsoft website and install using:

sh winetricks dotnet20

Follow the same for dotnet30 and dotnet35.

Step 5. Install MS Office 2007.

From your MS Office Installer CD or Directory, run:

wine setup.exe

Step 6. Run Office 2007 and enjoy

Additional

If you would like to install fonts available in Vista (especially Calibri) follow these steps

We have already installed cabextract from our previous steps, if not install cabextract by

sudo apt-get install cabextract

Then, once that is done, download this script or copy paste the script into a file and name it vista-fonts-installer.sh and store it in your home directory(~). Now convert the file into an executable by running

chmod a+x ~/vista-fonts-installer.sh

Then run the script using:

$ ~/vista-fonts-installer.sh

The script downloads the Powerpoint Viewer installer from microsoft.com, and then extracts the Vista cleartype fonts using cabextract. These fonts are then installed in the ~/.fonts directory. Why? Remember that the ClearType Vista fonts (Calibri, Trebuchet, etc) are not free as in they are not GPL-ed or made available under a re-distributable license. Since you are downloading the fonts from the MS website, and since you might already have a Windows XP/Vista license, this is not a crime, but consider yourself warned against the perils of supporting closed systems

Source [EmbraceUbuntu, Wine-Reviews]

The update caused McAfee to detect and block a legitimate and crucial file in Windows (specifically XP SP3) called svchost.exe which checks the services part of the registry to construct list of all services that must be loaded during startup. Since, svchost.exe was blocked/deleted by the McAfee AV (Anti-virus), the windows machine would shutdown itself and then go into a reboot loop with a blue screen flashing in front of you (BSOD).

McAfee, soon identified the error and released an emergency update on Wednesday, 21st April 2010 at 2pm GMT. By this time, numerous system were “infected” and created havoc. Many organizations required a technician to physically go to each machine and rectify the issue manually.

Joris Evers, a McAfee spokesperson, e-mailed a statement explaining "In the past 24 hours, McAfee identified a new threat that impacts Windows PCs. Researchers worked diligently to address this threat that attacks critical Windows system executables and buries itself deep into a computer’s memory."                                          [PC World]

McAfee soon released the “patch” along with the steps to recover from the problem on this forum page. However, the forum had to be taken down because of overwhelming number of requests.

This is not the first time (probably not the last) that an anti-virus solution misidentified legitimate files as malicious. Bitdefender software had a similar incident last month, due to which numerous systems running various windows flavours were locked down.

Could there be a silver lining to this incident? Well, since only Windows XP SP3 machines were infected, upgrading to the latest Windows 7 could be an option or opt for Linux (P.S. I vote for Linux).

Source: PC World, NDTV.com

What is a proxy server?

Haven’t we all asked that question at one point of time or the other? Are you still pondering over that question? Lets see if the following information will help you put your “over-heated” brain at rest .

Define:Proxy Server

A proxy server is a server (a computer system or an application program) that acts as an intermediary for requests from clients seeking resources from other servers. That means, the proxy server will receive all the requests from a client (say, you) and will re-initiate the request on your behalf to the server.

Are there various types of proxy servers?

Oh, yes. The various types of proxy servers that are operational in the real world include:

• Caching Proxy servers
• Content-filtering web proxy
• Transparent (or Forced or Intercepting) & Non-Transparent proxy servers
• Anonymizing proxy servers
• Reverse proxy servers
• Hostile proxy servers
• Suffix proxy servers
• Open Proxy servers
• Tunnelling proxy servers

Oh god! What do these proxy servers do?

Caching proxy:

A caching proxy facilitates acceleration of requests by retrieving content saved from a previous request made by the same client or another. Caching proxies keep local copies of frequently requested resources, allowing large organizations to significantly reduce their upstream bandwidth usage and cost, while significantly increasing performance. Most ISPs and large businesses have a caching proxy. One of the most famous and open source caching proxies is the Squid proxy. 

Caching proxies today, utilize ICP or Internet Cache Protocol to coordinate web caches. Its purpose is to find out the most appropriate location to retrieve a requested object from in the situation where multiple caches are in use at a single site. The goal is to use the caches as efficiently as possible, and to minimize the number of remote requests to the originating server. The queried caches are stored hierarchically, with the most queried content on top of the heap, nearest to Internet (called parent) and the least queried cache at the bottom, but nearest to the client (child).

Every request from the client comes to a child system (ideally). If the child is not able to serve a query, the child queries all the other siblings through ICP to find the content. Still, if the content is not available with any sibling, then the query is sent to the parent, which will fetch the content from the Internet, cache and then pass on the request. Siblings are caches of equal hierarchical status, whose purpose is to distribute the load amongst the siblings.

The ICP protocol was designed to be lightweight in order to minimize round-trip time between caches. It is intended for unreliable but quick connections.

Content – Filtering Web proxy:

A proxy that focuses on WWW traffic (Internet) is called a “web proxy”. Serving as a web cache is the main purpose of a web proxy. It caches requests being served to all the clients and then serves the same request from the cache (which has been requested earlier by the same or another client), rather than going to the Internet.

A content-filtering web proxy facilitates to deny access to URLs specified in a “blacklist”, thus providing content filtering. This type of proxy servers are deployed mostly in corporate, educational or library environment, and anywhere else where content filtering is a requirement. Squid proxy can be configured to work as a content filtering using SquidGuard, which provides a blacklist database along with URL categories, that each administrator can configure to allow/block according to Acceptable use policy of his organization.

A content filtering proxy can support user authentication through multiple sources like Active directory, HTTP based, NTLM based, LDAP based, etc, to control web access. It also produces logs, either to give detailed information about the URLs accessed by specific users, or to monitor bandwidth usage statistics. It can also communicate to daemon-based and/or ICAP-based antivirus software to provide security against virus and other malware by scanning incoming content in real time before it enters the network.

Transparent (or Forced or Intercepting) & Non-Transparent proxy servers

The term “Transparent proxy” refers to a proxy server that a client is not required to physically configure on the browser and cannot directly detect that his requests are being proxied. A transparent proxy does not modify the request or response beyond what is required for proxy authentication and identification.

A Non-Transparent proxy, however, modifies the request or response in order to provide additional service, such as group annotation services, media type transformation, protocol reduction, or anonymity filtering.

Transparent proxies can be implemented using Cisco’s WCCP (Web Cache Control Protocol). This proprietary protocol resides on the router and is configured from the cache, allowing the cache to determine what ports and traffic is sent to it via transparent redirection from the router. This redirection can occur in one of two ways: GRE Tunnelling (OSI Layer 3) or MAC rewrites (OSI Layer 2).

A security flaw in the way that transparent proxies operate was published by Robert Auger in 2009 [1] and advisory by the Computer Emergency Response Team [2] was issued listing dozens of affected transparent, and intercepting proxy servers.

An Intercepting proxy combines a proxy server with a gateway or router(commonly with NAT capabilities). Connections made by client browsers through the gateway are diverted to the proxy without client-side configuration (or often knowledge). Connections may also be diverted from a SOCKS server or other circuit-level proxies. Intercepting proxies are also commonly referred to as "transparent" proxies, or "forced" proxies, presumably because the existence of the proxy is transparent to the user, or the user is forced to use the proxy regardless of local settings.

The term "forced proxy" is ambiguous. It means both "intercepting proxy" (because it filters all traffic on the only available gateway to the Internet) and its exact opposite, "non-intercepting proxy" (because the user is forced to configure a proxy in order to access the Internet).Forced proxy operation is sometimes necessary due to issues with the interception of TCP connections and HTTP. For instance, interception of HTTP requests can affect the usability of a proxy cache, and can greatly affect certain authentication mechanisms. This is primarily because the client thinks it is talking to a server, and so request headers required by a proxy are unable to be distinguished from headers that may be required by an upstream server (esp authorization headers). Also the HTTP specification prohibits caching of responses where the request contained an authorization header.

Anonymizing proxy servers :

An Anonymous proxy (sometimes also called online web proxy) generally facilitates to anonymize web surfing. As we know, every time we browse the Internet, we leave our e-footprint (like, IP address, cookies, Google search strings, etc). In order to disguise our browsing habits and to minimize our e-footprint, anonymous proxies are used.

One of the more common variations is the Open proxy. They are typically difficult to track, and are especially useful to those who wish to hide their existence, such as political dissidents to computer criminals. The server receives requests from the anonymizing proxy server, and thus does not receive information about the end user’s address. However, the requests are not anonymous to the anonymizing proxy server, and so a degree of trust is present between that server and the user. Many of them are funded through a continued advertising link to the user.

Reverse proxy servers :

Reverse proxy is the proxy server that is mostly found in the  neighbourhood of one or more web servers. All the traffic coming from the Internet, heading towards the web servers is proxied though the reverse proxy. Why do we need a proxy server in front of a web server? There are several reasons:

• Encryption/SSL acceleration: Rather than the web servers providing secure web sites themselves, the SSL encryption is provided by an SSL acceleration hardware installed at the reverse proxy. Thus multiple sites can use the same reverse proxy to provide SSL encryption.

• Load balancing: The reverse proxy can distribute the load to several web servers, each web server serving its own application area. In such a case, the reverse proxy may need to rewrite the URLs in each web page (translation from externally known URLs to the internal locations).

• Server/cache static content: The reverse proxy can cache static contents from the web servers and can serve the client requests from its cache rather than sending the request to the web servers, hence reducing the load on the web servers and also accelerating the speed of serving the client. If the web servers are slow, caching the contents at the proxies, allows to serve client faster, reducing load time for websites.

• Compression: Reverse proxies can also optimize and compress the content to speed up the load time for websites.

• Security: The reverse proxy can act as an additional layer of defence against attacks targeted towards the web servers, specifically OS and Web Server attacks. However, it might not be able to protect against attacks on web application or the service itself. Today, there are however, reverse proxies that have sophisticated engines running that can analyse each packet and identify if an attack is being targeted to the web servers and simultaneously block it.

• Extranet Publishing: A reverse proxy server facing the Internet can be used to communicate to a firewalled server internal to an organization, providing extranet access to some functions while keeping the servers behind the firewalls. If used in this way, security measures should be considered to protect the rest of your infrastructure in case this server is compromised, as its web application is exposed to attack from the Internet.

  If you require more information on Reverse proxy and its security, refer to the article “Security Reverse Proxy ”by Sam Varughese, Paladion Networks

Hostile proxy servers :

Proxy servers that are installed solely to eavesdrop upon the dataflow between client machines and the web are called Hostile proxy servers.  Hostile proxies are able to capture all the accessed pages, forms submitted with its data. Hence, all sensitive communication like, banking, shopping, etc must be exchanged over a cryptographically secured connection, like SSL.

Suffix proxy servers :

A suffix proxy server allows a user to access web content by appending the name of the proxy server to the URL of the requested content (e.g. "en.wikipedia.org.6a.nl").

Suffix proxy servers are easier to use than regular proxy servers. The concept appeared in 2003 in form of the IPv6Gate and in 2004 in form of the Coral Content Distribution Network, but the term suffix proxy was only coined in October 2008 by "6a.nl".

Tunnelling proxy servers :

A tunnelling proxy server is a method of defeating blocking policies implemented using proxy servers. Tunnelling proxy servers are used by people who have been blocked from viewing a particular web site. Most tunnelling proxy servers are also proxy servers, of varying degrees of sophistication, which effectively implement "bypass policies".

Today, many users use tunnelling proxy servers to get past the content-filtering proxy servers deployed at their organizations, educational institutions, libraries, etc which enforce URL filtering. This technique is successful because, as the URL filter is concerned, it is connecting to a legitimate website (only if the URL filter does not have the URL in its database or has mis categorized it) with no malicious or illegal contents. The tunnelling proxy sends the request to the blocked site and provides it the user, thereby over powering the URL filtering.

One of the most common example is Google translator. The Google translator translates an url provided to it to any language as configured. This however, had a side effect. If Google translator is configured to translate an URL in the same language (English to English), it still tries to translate and then shows the web site to the user. And, the url? Well, if you check it it would be Google.com. As the URL filter is concerned, the user is accessing Google.com, but we know that through the translator the user is able to view blocked pages, thereby converting Google translator into a proxy server.  

What do I gain from a proxy server?

A proxy server has many potential purposes. To name few,

• It keeps the client anonymous for security. As the server is concerned, it thinks that the request is coming from the proxy and not from you.
• It helps to speed up access to resources through caching (Cache proxy)
• A proxy server enhances network security by providing controls for receiving and forwarding (or rejecting) requests between isolated networks, for example, forwarding requests across a firewall.
• A proxy server lessens network traffic by rejecting unwanted requests, forwarding requests to balance and optimize server workload, and fulfilling requests by serving data from cache rather than unnecessarily contacting the true destination server.
• Provides content-filtering for organizations, educational institutions, etc.
• Provides SSL acceleration, and allows multiple web servers to use the same SSL engine to provide secured web pages.

To conclude

Well, to conclude, a proxy server can help to speed up a loading of websites through caching, provide additional security to web servers, provide URL filtering, provide anonymity to users. But, remember, when security is concerned, the proxy server itself is a vulnerability, as it is exposed to the Internet (reverse proxy), and is a single point of failure for web servers(reverse proxy). The increased overheads of a security reverse proxy should be an acceptable price for the assurance obtained against web application vulnerabilities.

Anonymous proxies can be setup by hackers to obtain sensitive information like username and password of users who try and login to their accounts through anonymizing proxy servers. So, never use an anonymous proxy to login to your accounts (Facebook, Orkut, banking, shopping, etc).

(Source: Sans.org, Wikipedia.com, Palisade.plynt.com, Publib.boulder.ibm.com)

Matriux is a fully featured security distribution consisting of a bunch of powerful, open source and free tools that can be used for various purposes including, but not limited to, penetration testing, ethical hacking, system and network administration, cyber forensics investigations, security testing, vulnerability analysis, and much more. It is a distribution designed for security enthusiasts and professionals, although it can be used normally as your default desktop system (Source Matriux.com).

It can be deployed as a Live-CD or as a virtual machine. Today, I will help you install Matriux on Vmware and Virtualbox (two most commonly used virtual machines).

Since, the steps involved in deploying on virtualbox and vmware are quite similar, and because I use virtualbox instead of vmware , I will be demonstrating the installation process through virtualbox. For those who wish to install it on vmware, just follow the same procedure.

DISCLAIMER: The snapshots are for representative purposes. Configuration parameters can be set as per your requirement.

Step 1:

Pre-Installation Checklist:

1. Download and install Virtualbox or Vmware.
2. Download Matriux Live CD.

Step 2:

Installation Procedure:

1. From the menu, select New Virtual Machine.

   

2. Name the virtual machine “Matriux” (or anything you want). Select Operating System as “Linux” and Version as “Ubuntu”
   3. Now specify the RAM size of virtual machine. If you have 1 GB of total RAM, I suggest about 256MB to start with.
   

   4. Now lets create a virtual hard disk for virtual machine here. Since it is the first time, we are going to make a virtual machine, we will choose the option to create a new hard disk.

   

   5. This is the welcome screen to create a new virtual hard disk

   

   6. Here you can choose the type of storage, dynamically expanding type storage will consume your original HDD space according to the file size of Guest OS, while Fixed storage size will reserve the space from your original HDD. Here we will go for "Dynamically Expanding storage"

   

   7. Here you can specify the name and maximum storage area for this virtual hard disk. I would suggest to start off with 5GB, since the “Dynamic” HDD will dynamically expand as and when required

   .

   8. Click on Finish button to complete the Virtual Hard disk wizard

   

   9. Click on Finish button to complete the new virtual machine wizard

   

   10. Now click on top left yellow button which says "Settings" to further configure the virtual machine

   

   11. This are the various Settings for your virtual machine

   

   12. Click on CD/DVD-ROM tab on the left side

   

   13. Click on the "ISO Image File" radio button and then on the yellow folder icon next to the field which says "<no media>"

   

   14. This is the Virtual Media Manager. Click on Add button to add ISO files

   

   15. Virtual Media Manager will open a new window, so that you can select an ISO image.

   

   16. Point it to the Matriux ISO image you downloaded and click “Open” to select the file.

   

   17. Click on Select button in Virtual Media Manager.

   

   18. Click on "OK" button

   

   19. Click on the green Start button

   

   20. Read this integration notes and press on OK button. If the pop-up does not come, ignore it.

   

   21. Ignore this warning by clicking on OK button. If the pop-up does not come, ignore it.

   

   22. Click inside the console, and press enter to continue

   

   23. On the Login Screen enter:

   User name: tiger

   Password: toor

   

   24. Wait till the KDE is loaded….

   

   25. Now you are in Matriux

   

   26. Goto KDE Menu > System > Konsole Terminal

   

   27. Type Code:

   sudo ubiquity

   and press enter. Provide the password: toor

   

   28. Now, the installer will start. Choose your installation language > English

   

   29. Select your timezone > Click near Kolkatta to set India as Time Zone.

   

   30. Select your keyboard layout > USA

   

   31. Preparing disk space, allow it to use entire disk

   

   32. Fill the form as per your preference, choose password

   

   33. If your password is weak, you will get this message. So better go for a good one

   

   34. Click on Install button

   

   35. Now, get a coffee and sit back and relax. Wait till the installation is over. It should take about 10-15 minutes (depends on how much RAM you have and how much you specified)

   

   36. Installation completed, click on "Restart Now"

   

   37. At this point, the window will close automatically. If not, close the window and goto the Settings

   

   38. Goto CD/DVD-ROM tab

   

   39. Click on the Host CD/DVD Drive radio button, so that next time you restart, it does not boot from the CD (iso).

   

   40. Now Start the virtual machine again

   

   41. Provide your user name and password, as configured by you.

   

   42. Voila.! You are in . Now start H@ckin…

   

(Source: Matriux Forum)