/\ /^/_ _ __ __ _|^|_ __ ___ / \/ / _` '_ \/ _` | | '_ ` _ \ / /\ / (_| |_) (_| | | | | | | | /_/ \/ \__, .__/\__,_|_|_| |_| |_| |_| Issue 2 (Dec 3, 1999) ___________________________________________________________________________ The gh0st.net project: http://www.gh0st.net/index.html URL of the day: http://www.imagineradio.com All content copyright © 1999 by the individual authors, All Rights Reserved ___________________________________________________________________________ - Editor's Comments - Ramblings - URLs - The gh0st.net Project, continued - Quantum Cryptography - Securing Your Communications (A Guide to VPNs) - Future Issues - Credits *********************************************************************** *** Editor's Comments : Kynik *********************************************************************** The first issue didn't seem to get all that well circulated, so I'm working on publicizing everything a bit more. I'm also interested in picking up 1-3 people that would like a mentor. Yeah, like the whole 'old school' idea of a mentor. It's mainly so I can get some direct feedback personally from newbies so I can determine what other people (besides me and the other people I normally conspire with) are curious about, and interested in. Email me at kynik@gh0st.net with a blurb about what you are interested in, and why you want a mentor. And please, no ass-kissing bullshit emails. Tell it like it is, and everyone's happier. *********************************************************************** *** Ramblings : ajax *********************************************************************** You'll see comments embedded in the articles within square brackets. These are intentional, although they should not be treated as the article author's content. The name in curly brackets indicates the commentator, obviously. If you're thinking about submitting an article, but don't want us tagging your masterpiece with our incoherent ramblings, that's cool, just let us know. *********************************************************************** *** Random good URLs : Kynik, Ajax *********************************************************************** Linux Security Audit FAQ: http://www-jcr.lmh.ox.ac.uk/~security/ Linux on Alpha systems: http://www.alphalinux.org/ Got a VAX lying around? Free Hobbyist Licenses for OpenVMS: http://www.montagar.com/hobbyist/ The sci.electronics.repair Links/FAQ Page: http://www.repairfaq.org/ Several good security papers: http://www.enteract.com/~lspitz/pubs.html Transparent Cryptographic File System: http://tcfs.dia.unisa.it/ *********************************************************************** *** The gh0st.net Project (Part 2 of 2): Phatal *********************************************************************** <...continued from last issue> [ The referenced graphics can soon be found on the following page in JPG format. (http://fire.gh0st.net/napalm) {kynik} ] Basic Network Structure: Ok, here's what we've all been waiting for. This is what I've come up with so far in terms of the structure of the network. I'll show you both my initial plans for gh0stnet and the revised plans. As always, let the suggestions, reprimands, and warnings fly. As we all know, the forum is open, so any and everything is up for discussion. Here we go: Initial Initially, I planned on gh0stnet being located on one single physical network so a bit of the design reflects that. Currently, in realizing that there is no conceivable way for me to run 20 (and in the future >20) systems at one time I've been considering some secure VPN solution...any suggestions or comments about that one? Lemme know. The initial design of gh0stnet is gh0st1.jpg. This is the original concept circa '94. When developing the network then, I had very little knowledge about network components and how they were set up, so you'll notice the scant detail and the technical inaccuracy. Eventually, the initial idea evolved as I learned more about network design. The concept is the important aspect though so there are a few things to note. [ although a gh0st.net compound would be a dream. {ajax} ] 1. Multiplicity - Multiple networks is an important part of the design. Primarily because it is then possible for us to have fun with network trust relations, loose firewalls, rogue routers, so on and so forth. [ maybe some remote nodes from other groups on the VPN? {ajax} ] 2. Difficulty - You may not have noticed, but those black bars are supposed to be firewalls...I know, my illustrations suck. I figured the establishment of security domains like this (networks that don't trust each other and embody disparate and at times conflicting security policy) would be important. The difficulty is a major factor, I really didn't want the whole thing to be easy...and I didn't really want the entire thing to be difficult. So: levels of difficulty. Plain and simple. This diagram doesn't really reflect that very much, the current design emphasizes this though. 3. Heterogeneous - In considering the network would be difficult, I assumed that difficulty would lay in unpredictability. Oddball machines, Operating Systems, filtering rules, hacked up software and other interesting tidbits would keep people guessing. Back then, my concept of what was "oddball" is rather tame compared to what I have in store now. In short, gh0stnet would be so obscure that users would have to do multiple network scans... just to make sure they weren't seeing things. I wanted every machine on the network to be so interesting that figuring out what it did would be more engaging than actually gaining root on the machine. Well, that's the ideal anyway. [ different platforms lend themselves to different things. having our own, custom software on each machine for people to play with would add to the non-root-related interest. {ajax} ] Ok, so those were the initial intentions/ideals. Among other initial ideas was the inclusion of content on the servers. What kind of content? Basically rare and pilfered information found in the darkest depths of the ether. This is an idea I'd rather give some critical thought before I even begin to conceptualize further... it's a bit dangerous. On the other hand, throwing content having to deal with some of the internetworkings of gh0stnet on the servers (such as information on versions of software, type of hardware, and functions of boxen) wouldn't be such a bad idea. It might fuel incentive. New Design Now, my current design of gh0stnet can be found in gh0st2.jpg. This is much more of an end-view of the project rather than what it will start out as. When examining the diagram, keep in mind that this is what I'm working towards. This will be gh0stnet in all it's glory. I'll explain a few of the aspects to take note of: 1. Infrastructure vs. Game - Differentiation between what we'll be using as hunt and what we'll be using as infrastructure is important. The nature of gh0stnet insists that we protect the outside world from what goes on inside of the network. In this diagram, RouterX, Firewall-A, and WWW are infrastructure. WWW doesn't neccessarily have to be connected to gh0st.net but is used as a way of communicating with the public. Both as a method of relaying happenings on gh0st.net (logs, downed boxen, the idiot of the week) and updates (limited network modification info). [ Or hints, tricks and false leads... {kynik} ] RouterX is important simply as a means of keeping gh0stnet up. It can't be flooded and the routing rules shouldn't be modified. It should sit there and route packets as it was meant to. This all pretty much goes without saying, but being that we may not all neccessarily have the same equipment, it's important that we make sure what we're running is up to date and as secure as can possibly be. Firewall-A must be up at all times. The rules should reflect something like this: send in whatever you want, but nothing gets out. Although we've already stated in the policy that malicious attacks on other machines from gh0st.net boxes are prohibited, I'd like to make sure that they simply don't happen. As a configuration, I'd like firewall-a to be absolutely invisible, it should in no way appear to be a box available for attack. The alternative is a rock-solid OS (can anyone say "OPENBSD"?) that will be updated on a regular basis and function as a kick-all-ass-don't-fuck-with-me firewall. Any suggestions or other alternatives? [ what you really want here is an ethernet bridge, hacked to filter traffic. drop it in line between the internet connection and the hub. it won't even show up on a traceroute; it doesn't even need to have an ip address. i know this can be done in linux, although as phatal says, openbsd would be better to trust for this. {ajax} ] 2. Difficulty Levels - In this diagram, I expanded on the original design by creating 'tiers'. Ideally, each tier should be more difficult than the one before it. My philosophy on this isn't really set in stone and I've been fluctuating between providing a mixed bag..but ultimately I'd like to have one network that would be damn near impossible to penetrate. Any feelings on this one? I was playing around with the idea the access to a higher tier should be dependent on having successful defeated security on the tier directly below it. Should users know how many tiers there are? Let me know what you think. [ sounds like a video game ;). it does sound cool, though. bridges, as above, don't require massive hardware - 40$ 486's should do the job - and you might use them to completely hide segments of the network from each other. you could even have all the bridges covertly communicating with each other to enforce some very interesting dynamic rulesets. this, combined with multiple protocol stacks (decnet, appletalk, banyan, ipx...) could make life very interesting. {ajax} ] 3. What is Game? - Game is anything that can be connected to a network and provides some form of entertainment. From either a security standpoint or just a "Jesus christ..I can't beleive they actually *hooked* that up to a network!" standpoint. KP2 is working on writing a stack for the Apple //e, and the blue linux project seems to be a good candidate for going up on the network. I have a TCP stack for the Atari2600 written and ready to go...now I need to go out and buy a new atari...mine was destroyed in the move :/. We can all get together and make a list of the type of things we'd like to see on the network. I currently have a list of OSs that are in my possession that I thought would be good for certain tiers and I'll be circulating that around to you folks ASAP. [ blue linux and ataris... man, and i thought the layers-of-complexity thing raised the video game quotient ;) {ajax} ] Wrap Up and Further Direction That pretty much wraps it up for right now. I just want to make sure we're all on the same page and we're moving in similar directions. First orders of business are basically getting the tiers up in *any* form possible. I just want to start offering people boxes to crack. KP2 seems to have some good space available so hopefully that will be the landmark setup. In the mean time, consider available solutions, bumps in the road, or discrepancies in these designs. This can be a reality, it's just going to take a lot of work and a lot of dough... and some thinking... we'll try to balance that off with large amounts of alcohol. Cheers. -Phatal *********************************************************************** *** Quantum Cryptography: Kynik *********************************************************************** It will happen eventually. Somebody will figure out a way to factor large prime numbers, and, if you didn't know already, will break a decent number of the 'military-grade' cryptographic algorithms out there today. Are you using PGP to encrypt your email? Most likely your email wouldn't be as secure as you'd hoped anymore, since RSA will be essentially broken. What's the solution to this? Sure, you can make the keys bigger, but once the mathematical holy grail of large number factoring is figured out, that's a trivial obstacle. So, what other way is there to encrypt a bunch of information? Well, since 1984 or so, scientists have been working on a theoretically unbreakable algorithm, and this field of science is called quantum cryptography. It uses the principles of quantum physics (specifically, the way photons-the smallest pieces of light-interact) to send a stream of data securely between two points. A good article recently put out by New Scientist gives a rather thorough explanation on how it works, and it is from that article where I got the inspiration to write this blurb, as well as a good deal of my information. http://www.newscientist.com/ns/19991002/quantumcon.html If you're looking for some more in-depth academic papers on the topic: http://www.gap-optique.unige.ch/Publications/LookUp.asp?Search=crypto The underlying cryptographic technique used by quantum cryptography is the elusive one-time pad algorithm, which is proven to be uncrackable. The reason it's uncrackable, is because the key used to encrypt the message is itself as long as the message. So, if I have the message: THE ROOSTER CROWS AT DAWN I could make up a random string of the same length, like: SPE^38CMQQ11!:;[cS3tySH8& And encrypt (probably just XOR) the message with this string, creating an unintelligible mess. Then, the person receiving the message would be able to retrieve the original message by decrypting with the same string. Brute forcing doesn't work against the one-time pad, since you could guess many many wrong keys, and still never be sure if the message you received at the end was correct. I could just as easily get: HIDE THE NUCLEAR MATERIAL And never be the wiser that I was mistaken. The big problem is that in order for our target to be able to receive this message, we must figure out a way to transmit the key to them securely, which we can't do. (Sure, you could encrypt this key, but you would then be dependent on the security of that algorithm) This is where the 'quantum' part of quantum cryptography comes in. The secret key is sent to the intended destination, with very low chance of eavesdropping. Clear your minds, it's probably not something you've thought of before, unless you've been working in quantum physics lately, in which case, send me an email :) [ I was just informed by TF that quantum cryptography is also mentioned in Bruce Schneier's "Applied Cryptography", which I'd recommend to anyone even remotely interested in cryptography, which means (in my mind) pretty much everyone. {kynik} ] Every photon of light has a polarity, which basically means the angle that its wave moves in. for example, one photon may have a vertical polarity, so it could roughly be depicted as such: | This photon has a certain up-and-down motion as it travels. Another photon may have a horizontal polarity, like so: - This photon moves back-and-forth as it moves. Other photons can have any angle conceivable in between, two more examples being 45 degree angles: / \ (Depicting this in text doesn't do it any justice) Most light is a jumbled combination of all different polarities, which I won't get into now. Polarized sunglasses, for example, will only allow light of a certain polarity (well, a small set of them, at least) to pass through the glass. Quantum crypto uses a very high-quality polarizing filter to send and receive messages, where each photon represents a single bit of the key being transmitted. So, the sender sends out a stream of data, like so: 1 0 1 0 1 1 1 0 The sender changes this data into polarized photons, like so: / | / | / / / | The receiver has similar filters on his side, which he randomly switches between: \ - \ \ - \ - - From New Scientist: A photon striking a filter oriented in the same direction will always pass through. Conversely, a photon striking a filter oriented perpendicularly will never pass through. But a photon hitting a filter that is diagonal to its own orientation is in a quantum quandary, with a 50:50 chance of passing through or being blocked. So if the sender sends a | photon, and the reveiver uses a - filter, there is no way the photon would get through. However, if the receiver uses a \ filter, he has a one in two chance of receiving the photon. So, the message the receiver gets might look something like this: Data sent: 1 0 1 0 1 1 1 0 Filters: / | / | / / / | Receiver: \ - \ \ - \ - - Result: N N N Y N N Y N Key: - - - 0 - - 1 - The first three photons did not pass through, since they were perpendicular, and would never pass through. The fourth did pass through. The fifth lost the probability game and was not passed through. The sixth and last were blocked for the same reason as the first three. The seventh passed through for the same reason as the fourth, which is because it won the coin toss and got passed. The receiver (after enough bits had been sent) would then tell the sender which bits he received, at which point the passed photons build the key. In this case, the receiver tells the sender that the fourth and the seventh bits were transmitted properly, but does not reveal the values. You're probably pretty confused right now. I know I was the first three or four times I read the New Scientist article. Something that may have occurred to you is eavesdropping. This system is designed to minimize the possibility of eavesdropping. Since there is only a 50 percent chance that an eavesdropper would use the same filter as the receiver, and even if the eavesdropper did, he would still only have a 50 percent chance of picking up a "properly aligned" photon. The probability that an eavesdropper would be able to pick any significant set of the photons that the receiver got is very very small. I neglected to mention the fact that even if the eavesdropper got every photon, that person could not be sure what the sender's polarity is, so would have a hard time propagating an identical message to the receiver. Whoah. Quite a mouthful. I'm sure I've missed something, but this issue is far too late and too long already. Go check out the New Scientist article, and for MTYPWTK (More Than You Probably Wanted To Know), check out some of the referenced research papers. I'm on a research paper kick lately, so I blew through one in a few hours. Feel free to email me with questions or things I should have made clearer. Kynik kynik@gh0st.net *********************************************************************** *** Securing Your Communications (A Guide to VPNs): Prof_UK *********************************************************************** Introduction ------------ A VPN (Virtual Private Network) is a secure connection between two or more networks or computers over an untrusted network (for example the Internet). A VPN can provide a much cheaper solution than a dedicated direct network connection (such as a T1/E1). There are many commercial solutions available for creating a VPN, many of which use protocols like Microsoft's PPTP (Point to Point Tunneling Protocol) and IPSec (others include L2PT and L2F). Firewall products like Raptor's EagleNT Borderware and CheckPoint's Firewall 1 allow easy creation of a secure tunnel over the internet (but sometimes using proprietary standards). Creating a VPN using internet standards, without paying for extra software, can be done within *nix. This can be done via a SSH tunnel or IPSec. PPTP is quickly becoming more available on different formats (Currently it is not as widespread on *nix as IPSec or SSH tunnels, but its advantage is ease of use on Windows based machines). Situation --------- Here we have two Linux firewalls, they each have two network adapters, one for the outside connection and one for the internal connection. ------------ ------------ Network A ---|Firewall A|--> The Internet <-- |Firewall B|--- Network B ------------ ------------ * I have called the routers Firewall A and B as a VPN would often be implemented through them as they provide a secure point on a network. If someone on Network A wanted to email information to Company B it leaves their secured network, goes across the internet and back into Company B's network. The message wasn't encrypted and if the mail contained sensitive information, like a username and password, it could have been compromised. So what is required is either a secure mail gateway, that encrypts all mail destined for Network B (and vice versa) or we could set up a VPN, where any traffic, whether it is Mail, Telnet or HTTP, is encrypted. ------------ ------------ Network A ---|Firewall A|--> The Internet <--|Firewall B|--- Network B -----------\ /----------- --> Encrypted A-B <-- Implementations --------------- SSH Tunnel ---------- A SSH tunnel is quite easy to set up and it is quite well documented in the Linux mini VPN HOW-TO: http://metalab.unc.edu/LDP/HOWTO/mini/VPN.html This is a SSH (http://www.ssh.fi/) tunnel across the internet that the two machines create and route traffic through. This method is cheap, requires a little networking knowledge and has been used by many Linux users around the world. It is also quite possible to have an individual's machine on a VPN and connected to the internet at the same time over a dial-up connection. I believe that this method doesn't require vast amounts of computing power which would allow multiple SSH tunnels to be created, but this is not as easy as some of the other methods, as each tunnel would require its own account on the machines. The SSH tunnel can be made very secure (it is the second most secure method mentioned here), with a RSA key (that can be up to 4096 bits), for user verification and an encryption standard of your choice for data transfers (IDEA, 3DES, Blowfish). SSH is widely available and even with my windows client (TeraTermPro + TeraTerm Secure Shell Extension) I have basic routing through the SSH connection. IPSec ----- IPSec is a secure version of IP, encrypting your data at OSI level 3 (the network level). Actually it is an IPSec packet encapsulated within IP. IPSec offers similar benefits of SSH tunneling (and more), except it is implemented at the Kernel level. The easiest and cheapest distribution (it's free) for Linux that I have found is FreeS/WAN. (http://www.xs4all.nl/~freeswan/). Microsoft has placed IPSec support in Windows 2000, OpenBSD also has IPSec support built in. It is easy and quite flexible. It is basically a Kernel patch and a few utilities, setup from within config files. One disadvantage is that you will need to know the address of the first router on your ISP/Network (this can normally be found with a traceroute). Setting up multiple connections is easy, with a config file for each. The documentation is quite good, although somestimes it is a little obscure. FreeS/WAN supports IP masquerading, Subnet Extrusion and Unencrypted tunnels. FreeS/WAN is not yet a fully ICSA-certified IPSec implemenation but it is interoperable with other available implementations. It supports IKE (Internet Key Exchange) through Pluto (a small daemon). IKE makes the creation and transportation of your keys secure and simple, allowing your keys to be changed automatically. It also allows rekeying during a connection, so if someone cracks your key, then they only get a small part of your traffic (although that could still prove to be devastating). This IPSec implementation supports MD5 (128bit) authentication and 3DES (168bit) encryption, with added support for SHA (160bit) authentication. PPTP ---- A Microsoft developed standard, it supports IP, IPX and NetBEUI. It comes as standard in Microsoft NT4 server and workstation, it is also available for Win95 and Win98 for free. The source code is available to "third party developers." Like the IPSec protocol it is encapsulated within IP packets, that is why it can carry IP, IPX and NetBEUI traffic. If you wish to have single users connected to a NT Server then this is the way to go, but how many people believe in the security in NT? Clients are available from Microsoft for Win9x, but anything else must come from a third party, there are clients available for Linux and more are being released, but many belive that PPTP has lost to IPSec. The standard uses Microsoft PAP and CHAP, within CHAP it supports, wait for it, MD4 hashing and DES for authentication. The data encryption is either RSA-RC4, (a full 40 bits, WOW Microsoft, real secure) or 128bit. Making it the least secure method listed here. I could only recommend this if you are un-comfortable with Linux or you already have a highly integrated NT system. [ actually, ms-pptp is slightly different from the pptp standard (ftp://ftp.ietf.org/rfc/rfc2637.txt). the pap and chap implementations in ms-pptp are also non-standard. pptp has been shredded by mudge and schneier (www.counterpane.com/pptp.html), and multiple vulnerabilities have been found by aleph one, among others. avoid. i mean it. {ajax} ] The Final Word -------------- IPSec and SSH tunnels are currently the only solutions that I would recommend. In the near future watch out for IPSec as a very popular standard, supported within hardware etc. (Hell even Microsoft are supporting it in their next version of NT). Within the project I am involved in (Gh0st.net) we will be using a mixture of these methods, depending on the situation (ie. The OS, availability of software etc.) I should also mention that by having a VPN you are increasing the risk of an "insider" attack, as you are basically giving all the users on the other network the same access as your users. You should keep in mind that even if you have an acceptable use policy in place, they might not. It is a good idea to set up some simple protective measures on your firewall to reduce the risk of such attacks. [ you are also still at the mercy of the intermediary routers between the firewalls to deliver the traffic intact and consistantly. the only real cure for that is a dedicated connection, which is exactly what VPNs are designed to replace. note also that VPNs are no substitute for encrypted channels at the protocol level; just because you're using IPSec doesn't mean you can go back to rsh. {ajax} ] Within the next 2 - 3 years we should see IPv6 come along. This has built in support for encryption, making things like IPSec obsolete. I am looking forward to IPv6, but it is believed that as a large part of the encryption key has been chosen/approved by the NSA to make it easy for them to crack it. An extra layer of security over the top provided by its users should be enough to keep the spooks at bay. If you are serious about your security you should look closly at these methods. You should be using SSH for any shell account, especially those that contain sensitive communications. prof_uk@gh0st.net Sources: Linux Mini VPN HowTo FreeS/WAN documentation. Microsoft PPTP documentation. Various others. A Gh0st.net text - Published with Authors permission ---------------------------------------------------- Gh0st.net - The Ultim8 Security Concept http://www.gh0st.net/ Send us your spare hardware !!! please... *********************************************************************** *** Future Issues *********************************************************************** Securing X : Ajax Creating Restricted ("Sandboxed") User Accounts : Fict Other articles : c_routine : echo8 *********************************************************************** *** Credits *********************************************************************** Editor: Kynik Co-editor: ajax Article Contributions: Phatal Prof_UK *********************************************************************** *** Subscription *********************************************************************** To subscribe to this 'zine: email kynik@gh0st.net or napalmzine@hotmail.com with a subject of SUBSCRIBE To unsubscribe: email kynik@gh0st.net or napalmzine@hotmail.com with a subject of UNSUBSCRIBE Submissions, questions, comments, and constructive chaos may also be directed to kynik@gh0st.net, napalmzine@hotmail.com or any of the contributors ***********************************************************************