Linux Mint to take Linux Crown from Ubuntu?

Linux Mint is now the 4th most used home operating system in existence. But can it unseat Ubuntu as the top Linux OS?

Ubuntu, currently number 3 (behind Windows and Mac) in the home OS theater, has received some stiff competition from Linux Mint. Distrowatch shows that Linux Mint has been the most popular Linux distribution over the last year, and their Linux Mint page has had about 2.5 times more visitors than Ubuntu’s page. Though Distrowatch claims that their stats are for entertainment purposes only, Linux Mint is definitely on the rise.

Add to that long time Ubuntu users dislike of the Unity desktop, now the main GUI by default,  and several issues with upgrading to 11.10 and you can see why some people are starting to look elsewhere.

Linux Mint may be an attractive alternative to many users. The install is familiar, it looks like Ubuntu, acts like Ubuntu and most importantly, it comes with the classic Gnome interface – not Unity.

With reports that it is very stable, I couldn’t resist anymore and decided to give it a whirl.

The installation was almost completely identical to Ubuntu’s. And once it is up and running, it looks just like Ubuntu with the classic gnome interface installed. Just a quick glance around and I fell in love very quickly.

First I liked the way it notifies you of available updates:

Also, looking through the menu, I found that it comes with the Firewall graphical user interface installed. You have to install it yourself in Ubuntu:

Just surfing around I felt very at home and familiar with the Gnome interface and the Ubuntu feel.

Okay, what didn’t I like about Linux Mint?

The color scheme! There is just something about green on gray that just turns me off. But a quick theme download and background change and things looked much better:

Linux Mint 12, check it out!

Backtrack 5: Penetration Testing with Social Engineering Toolkit

Social engineering attacks are one of the top techniques used against networks today. Why spend days, weeks or even months trying to penetrate layers of network security when you can just trick a user into running a file that allows you full access to their machine and bypasses anti-virus, firewalls and many intrusion detection systems?

This is most commonly used in phishing attacks today -craft an e-mail, or create a fake website that tricks users into running a malicious file that creates a backdoor into their system. But as a security expert, how could you test this against your network? Would such an attack work, and how could you defend against it?

The Backtrack Linux penetration testing platform includes one of the most popular social engineering attack toolkits available. My previous “How-To” on Backtrack 4’s SET has been extremely popular. Well, Backtrack 5’s SET includes a whole slew of new features and I figured it was time to update the tutorial.

We will use SET to create a fake website that offers a backdoored program to any system that connects. So here goes…

Okay, timeout for a disclaimer: This is for security testing purposes only, never attempt to use any security checks or tools on a network that you do not have the authorization and written permission to do so. Doing so could cost you your job and you could end up in jail.

1. Obtain Backtrack 5 release 1. You can use the LiveCD version, install it on a new system or run it in a Virtual Machine.

2. The first thing you will want to do is update both the Metasploit Framework and the Social Engineering Toolkit to make sure you have the latest version. Update both, restart SET and check updates one more time.

3. Select number 1, “Social Engineering Attacks”

4. Next select 2, “Website Attack Vectors”. Notice the other options available.

5. Then 1, “Java Applet Attack Method”. This will create a Java app that has a backdoor shell in it.

6. Next choose 1, “Web Templates” to have SET create a generic webpage to use. Option 2, “Site Cloner” allows SET to use an existing webpage as a template for the attack webpage.

7. Now choose 1, “Java Required”. Notice the other social media options available.

8. Pick a payload you want delivered, I usually choose 2, “Windows Reverse_TCP Meterpreter”, but you have several to choose from including your own program . Number 13, “ShellCodeExec Alphanum Shellcode” is interesting as it runs from memory, never touching the hard drive, thus effectively by-passing most anti-virus programs.

9. Next choose an encoding type to bypass anti-virus. “Shikata_ga_nai” is very popular, Multi-Encoder uses several encoders, but number 16 is best, “Backdoored Executable”. It adds the backdoor program to a legitimate program, like Calc.exe.

10. Set the port to listen on, I just took the default.

Now Backtrack is all set and does several things. It creates the backdoor program, encodes and packs it. Creates the website that you want to use and starts up a listening service looking for people to connect. When done, your screen will look like this:

Okay we are all set. Now if we go to a “Victim” machine and surf to the IP address of the “attacker” machine we will see this:

If the “Victim” allows this Java script to run, we get a remote session on our attacking machine:

You now have access to the victims PC. Use “Sessions -i” and the Session number to connect to the session. Once connected, you can use linux commands to browse the remote PC, or running “shell” will give you a remote windows command shell.

That’s it, one bad choice on the victim’s side and security updates and anti-virus means nothing. The “Victim” in this case was a fully updated Windows XP Professional with the top name anti-virus internet security suite installed and updated.

They can even surf away or close the webpage, because once the shell has connected the web browser is no longer needed. Most attackers will then solidify their hold on the PC and merge the session into another process effectively making the shell disappear.

This is why informing your users about the dangers of clicking on unknown links in e-mails, suspicious web links, online anti-virus messages and video codec updates is critical. It can be very hazardous to your network.

The easiest way to stop this type of attack is to simply run the FireFox add-in “Noscript”, also BitDefender AV 2012 seems very, very resilient against these types of attacks.

4 Reasons to Use a Vulnerability Scanner

Two of the best pieces of advice ever given to me are “Know your enemy” and “Know Thyself”. Neither was offered in the context of information security, but both are exceptionally appropriate, and a vulnerability scanner will help with both.

A vulnerability scanner is a tool that can automatically scan your network and the systems connected to it, examining each one for vulnerabilities that could be exploited. Malicious users frequently use vulnerability scanners or other automated scanning tools to hunt for ways to compromise your systems; using the same tools yourself not only gives you an understanding of what they are seeing on your network, but also lets you know about issues before they become incidents.

 There are many different reasons to use a vulnerability scanner. Security engineers may use a vulnerability scanner to report on the overall threat matrix, but systems admins should take advantage of more than just that. Here are my own top four reasons to use a vulnerability scanner on my own network. Run through this list and see if you don’t decide to use a vulnerability scanner yourself by the time you get to the end.

 Scanning shows you what other reports can’t.

  1. Your patching and a/v systems can’t report on the things that don’t run their agents or belong to the domain. Standalone servers, network hardware, rogues workstations, and access points are all examples of things on your network that neither your a/v nor your patching solution will be able to include in a report.
  2. Diff-ing scheduled scans let’s you spot and track changes.
    One of the most effective ways to spot any changes on your network, whether that be new systems plugged in, or just new services enabled, is to scan weekly and then compare the deltas. This is also a fantastic way to audit your change management process to make sure it is being followed and is effective.
  3. Knowing what the bad guys see helps you rank and schedule remediations.
    You know the bad guys are scanning your network. Knowing what they are seeing, and being able to rank vulnerabilities by risk and impact, will let you assign tickets and set priorities for fixing any issues discovered by the scan.
  4. It’s one thing to talk about vulnerabilities; it’s quite another to show them.
    You can talk to some systems admins, or managers, until you are blue in the face about how important it is to patch their system and have as much impact as talking to yourself. But if you run a vulnerability scan and show them just how many vulnerabilities are showing up in their system. That will get their attention, and then their system should get the attention it needs.

 Running regular scans of your network with a vulnerability scanner shows you what potential attackers are seeing, highlights potential attack points, and helps you keep track of everything plugged into your network. Using a vulnerability scanner is a great way to stay a step ahead of the bad guys and to keep on top of your own systems.

This guest post was provided by Casper Manes on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging need. Learn more on what to look out for when choosing a vulnerability scanner.

All product and company names herein may be trademarks of their respective owners.

HTML Tag can Cause Windows 7 x64 to “Blue Screen of Death”

Secunia has released a security warning that a specially crafted webpage can cause a fully patched Windows 7 x64 system to crash. At this point the page just makes Windows 7 perform the dreaded “Blue Screen of Death”, but it could be used maliciously to create a Zero-day exploit.

“The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large “height” attribute viewed using the Apple Safari browser.

Successful exploitation may allow execution of arbitrary code with kernel-mode privileges.”

Hackers look for bugs like this to create exploits that will drop them into the system remotely with administrator or even system level privileges.

The attack works only against the 64-bit version of Windows 7, the 32-bit version seems unaffected. But the warning does state that the bug may be present in other versions of Windows. This is concerning as Windows Server 2008 shares a lot of code with Windows 7, I am curious if it is also affected.

As of yet, there is no patch available to fix this issue.

*** Update – It is interesting that it is not just a large number as the advisory states. A quick search around the web and the number in question is available. It seems to be a specific 8 digit number. A random number above 8 digits did not trigger the crash.

Just a single line stored in an html file with the right number causes the crash:

As soon as you attempt to open the webpage with Safari, your Windows 7 instantly crashes. Hopefully Apple will get this patched quickly.