Fixing logrotation problem with Ossec HIDS on CentOS 7

This is a short quick fix howto on how to get the logs for Ossec HIDS v2.8 on a CentOS Linux release 7.1.1503 (Core)
to rotate using the system default logrotate job. It should probably work just fine on RHEL, Fedora and Scientific Linux as well, but this has not been tested.

The symptoms of the problem are that when running logrotate (-d for debug):

# logrotate -d /etc/logrotate.conf

The following errors are seen in the output:

rotating pattern: /var/ossec/logs/active-responses.log weekly (4 rotations)
empty log files are not rotated, old logs are removed
considering log /var/ossec/logs/active-responses.log
error: skipping "/var/ossec/logs/active-responses.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

rotating pattern: /var/ossec/logs/ossec.log weekly (4 rotations)
empty log files are not rotated, old logs are removed
considering log /var/ossec/logs/ossec.log
error: skipping "/var/ossec/logs/ossec.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

Continue reading

Litteral Based IDS

I was sitting, drinking beer with a friend today, and this friend happens to be a Ph.D. student in the field of biometrics.
We were discussing real life application of biometrics for security, and the talk turned into somewhat unserious.

Anyways, while discussing if recording how a person types on the keyboard for continuous authentication,
I realized something and got this crazy idea of the application in “Litteral Based IDS systems”. A host-based application that record keystrokes and based on that issue alerts if predefined malicious commands (signatures) are typed.
Before you say anything about that it is not ethical, well I never said it was a great idea, I’m not even sure it is a good idea. It is purely a lab toy kind of idea, for now.

The idea is to create a sensor agent that records keystroke in real time, and if certain commands or series of commands are typed on the keyboard (or terminal)
an alert should be raised, and sent to an administrator.

And back to the ethics, I see a lot of privacy issues related to this. But it would still be an interesting thing to try out in a lab setting.

Problems starting VMware Workstation 10

When Crunchbang/Debian are updating their kernel I usually have some problems running
my virtual guest systems in VMware because of missing kernel modules. Long time ago this was annoying me
so much that I just switched to OpenBox that came packages with the distro for a while. Anyways, I found
my way back to VMware because it is quite better in many ways.

After kernel upgrade VMware just gives me the following error
when I try to start my virtual guests:

Could not open /dev/vmmon: No such file or directory.
Please make sure that the kernel module `vmmon' is loaded.

When clicked it is followed by:

Failed to initialize monitor device.

And finally the virtual guest just refuse to start giving the following error:

Unable to change virtual machine power state: Internal error

I found the simplest solution to this problem is simply running this command in
the console:

$ sudo vmware-modconfig --console --install-all

Paper: Timeline analysis of logs in Android OS

I have gotten my first paper published in cooperation with John-Andre Bjørkhaug, Robin Stenvi, and Made Ziius.
The paper is written as a part of the class IMT4012 Digital Forensics 1

In this paper we investigate into extracting logs from apps and Android system for correlation and graphically display them in the form of a timeline, while preserving the terms of forensic soundness and integrity. The paper is based on experiments done by the group members on di fferent type of devices and di fferent applications.

The papers is published in eForensics Magazine
The code can be found at github

Staying up to date (RSS feeds)

By being an information security student it is important to stay up to date on the real world, not just academia. Because of this I started six months ago to collect and index information and articles about security and technology. Even though the problems in security have not changed in 10 years, there is new versions of those problems every day. This is why I think it is important
to keep myself up to date each week. I must admin that I don’t have time to read all of the around 300 articles ticking in each day but I tend to get the essence browsing through the titles.
And of course that I can search for specific topics in the database at a later time if I need some real world examples.

Combined, I have collected articles from 242 different webpages and blogs where 235 is completely information security related. From these 242 feeds I have in this moment collected and indexed 14000+ articles.

I mentioned this to some of my fellow students and classmates and by their reaction I figured that this was something that people may be interested in that I share. I am sure that I am missing a lot of blogs and sites so please, if you have some good resource that you find missing, tell me about it either by email or leave a comment.

I’m planning to write a front-end application to my existing database but this will have to wait until I have time.


You can download the infosec.opml here. Saved with a .txt ending.
Change it back to .opml to import it in to your own RSS reader.

Dear facebook

Dear facebook,

I think it is time for you and me to take a break. It is not you, it is me, really.
I find the Snowden leaks somewhat disturbing but I understand that you must follow US law, which again need to protect our friends on the other side of the sea, but I’m foreign, I really don’t think your government care about my privacy.

Don’t call me a paranoid geek just yet.

Continue reading

Does social media make companies more vulnerable for targeted attacks?

Does social media make companies more vulnerable to spear phishing and targeted attacks??

The last couple of years the acronym APT, or Advanced Persistent Threat [1] has gained more focus in media and amongst security professionals.
We often read about companies that believe that they have been compromised for months or even years without knowing it, and how security companies are two steps behind this new form of advanced stealthy attacks, and how signature based detection is slowly getting “old tech” and useless as protection against this “new” threat.

Just before Christmas I read this blog post by Raidersec [1] about open source intelligence by using social media API’s and this got me thinking about:
Does social media make companies more vulnerable for targeted attacks?

Continue reading

Vulnerability in UPnP

HD Moore at Rapid7 recently posted a blog post today [1] with attached whitepaper [2] about security flaws in UPnP

UnPn is a protocol made to allow easy communication between computers and other network devices. It is often used in media servers, game consols, IP based cameras, Smart TVs, network attached storage and many more.
The protocol is supported and enabled by default on Microsoft Windows, MacOS X and some linux distributions.[2] The UPnP protocol suffers from many vulnerabilities: CVE. UPnP is often implemented without any authentication and according to Rapid7 and can be exploited by sending a single spoofable UDP package.

A Shodan [3] search shows that currently 63368 norwegian systems are answering to UPnP traffic from the internet. 27910 and the majority of these IP addresses belongs to the ISP NextGenTel AS.

There is already a been made a search tool for exploitable vulnerabilities in UPnP for the Metasploit framework [4] and I think we will see tools for exploiting CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961, CVE-2012-5962, CVE-2012-5963, CVE-2012-5964 and CVE-2012-5965 vulnerabilities quite fast. And there will probably be a long time before vendors will be able to patch their products and even longer time before the consumers will update so block UPnP traffic in you routers fast.

For more information, read Rapid7’s whitepaper [2]

[1] Security Flaws in Universal Plug and Play: Unplug, Don’t Play
[2] Whitepaper: Security Flaws in Universal Plug and Play: Unplug, Don’t Play.
[3] SHODAN – Computer Search Engine

Installing Minix 3 in Virtualbox

In the course IMT3501 Software Security at Gjøvik University College under the lab exercises in buffer overflow, there is a reference to play with MINIX 3, a small microkernel architecture operating system developed by Andrew S. Tanenbaum for educational purposes.
Some students had some problems installing it so; this is a short step by step tutorial of getting MINIX3 up and running in VirtualBox 4.x.
Continue reading