Tag Archive for Security

How To Install Graylog And Centralize Logs On Ubuntu in 15 minutes

How To Install Graylog And Centralize Logs On Ubuntu in 15 minutes

Graylog2 is a powerful log management and analysis tool that has many use cases, from monitoring SSH logins and unusual activity to debugging applications. It is based on Elasticsearch, Java, MongoDB, and Scala.



This script will download and install all pre-requisites for Graylog 2.x including Java 8.0, MongoDB 2.x or Mongo 3.x, ElasticSearch 3.2.x and Graylog.

It will work on 64bit Ubuntu release Precise (12.04) or Trusty (14.04) and you will have Graylog running in under 15 minutes.


10 Steps to Securing SCADA Networks




Supervisory control and data acquisition (SCADA) are computer controlled systems that monitor and control industrial processes that exist in the physical world. These computers run applications that perform key functions in providing essential services and commodities such as electricity, natural gas, gasoline, water, waste treatment and transportation, making them a critical part of a nation’s infrastructure.

These systems were designed for functionality, focusing on performance, reliability, flexibility and safety, while not making security a priority and because it is not uncommon for these systems to have a 20 year life cycle, it will be years before more secure systems are in widespread use.


This makes SCADA’s potentially vulnerable to disruption of service, process redirection, or manipulation of data that could result in serious disruptions to organizations and nations alike.

Oil platform

In order to address this issue it is essential to take actions to implement security and establish management processes and controls.

Here are 10 steps to mitigate the risks in keeping these systems secure.

  1. Risk assessment

    Conduct a thorough risk assessment to identify systems and evaluate their properties and characteristics, discover threats and vulnerabilities that pose risk to the systems and finally address those risks by transferring, eliminating or accepting them.

  2. Implement security features provided by vendors

    Most older SCADA systems have no security features, which happen to be also the most prevalent. Some newer SCADA devices come with basic security features, but are usually disabled to ensure easy installation. Security features must be set to provide a maximum level of security and only lowering them after a rigorous risk assessment of the consequences of doing so.

  3. Do not rely on proprietary protocols

    SCADA systems sometimes use unique, proprietary protocols to communicate with servers and often this is the only security in place to protect the network. This however is not a wise risk mitigation strategy.

  4. Evaluate and strengthen security

    Penetration testing must be performed regularly to find vulnerabilities and fix them before an attacker does. Having a seconds set of eyes check out critical systems is a good security practice. Penetration testing not only serves to identify vulnerabilities; it also serves in verifying secure configurations are in place when installation is performed.

  5. Implement internal and external intrusion detection systems and establish 24/7 monitoring

    In order to be able to effectively respond to cyber attacks, it is necessary to establish an intrusion detection strategy that includes alerting network administrators of malicious network activity. Incident response procedures must be in place to allow an effective response to any attack. In addition to network monitoring, logging must be enabled on all systems.

    Scada water

  6. Conduct physical security surveys

    Any connection that has a SCADA connected to the network is a target, especially if they are in a unguarded remote sites. Conduct regular physical survey and inventory access points at each facility that has a connection to a SCADA system. Identify and assess remote telephone/computer network/fiber optic cables that could be tapped; radio and microwave links  that are exploitable; computer terminals that can be accessed; and wireless local are network access points.

  7. Define cyber security roles, responsibilities, and authorities for managers, sys admins and users.

    Its very important for the organization to understand the expectations associated with protecting information technology resources through the definition of clear roles and responsibilities. Personnel need to be given sufficient authority to carry out their assigned responsibility and a organizational structure must be in place defining how security issues are escalated and who is notified in an emergency.

  8. Document network architecture

    It is imperative that the organization design their networks with security in mind and continue to have a strong understanding of their network architecture throughout its lifecycle. An in depth understanding of the functions that the systems perform and the sensitivity of the stored information is critical. Without this understanding, risk cannot be properly assessed. Additionally it is very important to document the information security architecture and its components, while establishing controls to keep the documentation current.

  9. Establish a rigorous, ongoing risk management process

    A robust risk management process is needed to provide the organization with feedback on the effectiveness of the cyber security policy and its implementation. A mature organization is one that can self identify issues, conduct root cause analyses, and implement corrective actions to address the individual and systemic problems. Self-assessment processes are a normal part of an effective security program and include routine scanning for vulnerabilities, automated auditing of networks and self-assessment of performance or Key Performance Indicators (KPI).

  10. Establish effective configuration management processes

    Configuration management is a fundamental management process needed to maintain a secure network. It need to include both hardware and software configurations. Changes can easily introduce vulnerabilities that undermine network security, so processes are required to evaluate and control any change to ensure the network remains secure.

What is XKeyscore?

A couple of weeks ago The Guardian released new information about a program called XKeyscore the NSA operates, giving the government the capability to search emails, social media and browsing history amongst other data.

The presentation reveals fascinating insight into the program, its reach and capabilities.

Data is collected around the world at aprox. 150 sites, which seem to be clustered around Central America, Europe and the Middle East. It is pitched as unique because of its general capability allowing the operator to go “shallow” or “deep” when performing queries on the system.

NSA binoculars4

“Shallow”  query operations enable the analyzes of large data sets or in case of monitoring real-time activity (tipping), when the data rate is too high.

Because large amounts of time spent on the web is performing actions that are anonymous in some sense, XKeyscore has the capability to detect anomalies in the traffic that lead to intelligence and thus triggering traditional tasking.

On how to query the system the slides show the power lies in being able to look for anomalous events, giving specific examples such as:

  1. Someone whose language is out of place to the particular geographic region they are at.
  2. Someone using encryption which would signal they have something to hide.
  3. Someone searching the web for suspicious information.
  4. Show all encrypted word documents from Iran.
  5. Show all encryption usage in Iran.

XKeyscore stores extracts and authoring information on documents giving it the capability to trace where the document originated.

Data volumes are so high that according to the presentation, data collected never leave the sites, but is rather deleted at a finite time after being run through extract plugins which index and store metadata.

xkeyscore Traditionally collection of information is triggered by a strong-selector event when the target is known, but the system is capable to work back from an anomalous event to a strong selector, as well as tie in with other existing systems to allow collection after the event.

Examples of utilizing this approach to analyze data are also outlined:

  1. Finding a target that speaks German in Pakistan.
  2. Someone who has utilized Google maps to scope target locations.
  3. Who wrote a document and where that has been passed around through numerous people.
  4. Find all excel spreadsheets coming out of Iraq and map IP addresses. (Note: this particular point mentions MAC address which is incorrect.)

Another system comes to light named TAO (Tailored Access Operations) which provides XKeyscore with the capability to report on all exploitable machines in a particular country.

As new web services come online, the system scans metadata collected for the username which is likely reused from service to service, providing the discovery of new applications the agency had no idea about.

Future enhancement efforts centered around higher speeds, better presentation, VoIP, and adding metadata from Google Earth and EXIF tags. Keeping in mind this presentation is dated 2008, the future is here.

VoIP traffic can be collected and reconstructed; EXIF metadata is particularly interesting. From this metadata you could query for photos taken by an particular camera in a particular geographic region, on a particular date. Cross referencing exposure and time of day could let you determine if the photo was taken indoors or outdoors.


Examples of utilizing this approach to analyze data are also outlined:


LinkedIn Compromise of Passwords is Real

Multiple sources in the security field have reported today that LinkedIn was hacked and the list of password hashes posted on a forum.  I can also add myself to @ErrataRob findings confirming that my password was on that list.

At this time files posted on the forum have been taken down and LinkedIn has now confirmed that “some” of the user passwords are real.

Here is a small excerpt from the dump:


These passwords are encoded using a cryptographic hash function called SHA-1. A hash function is a one-way mathematical function that takes an arbitrary block of data and returns a fixed-size bit string.

In order to retrieve the password from this SHA-1 string, hackers use an attack known as a Rainbow Tables attack, which consists of calculating the hashes for the passwords; so once you get the hash to do a reverse lookup of the hash you have previously calculated and get the password. These tables of passwords and their hashes are widely available on the Internet including http://www.onlinehashcrack.com/

If your password is simple, its pretty likely that your hash is already stored on a rainbow table.

So I calculated my SHA-1 hash by using the following command on my laptop.

echo -n ‘mypassword’ | openssl sha1

This command  calculates the one-way SHA1 hash for my password.

I then stripped the first 6 characters from the hash and looked it up in the combo_not.txt file that contained the compromised list of passwords.

YCombinator has a post that explains what the meaning of the initial “0”s mean within the hashes and the reason why I deleted the first 6 characters.

So the LinkedIn hack is real and you need to change your password NOW. If you happen to use that password for other websites, change those too and do not use that password again.

How could have LinkedIn prevents this:

Not only were the access controls that LinkedIn had in place prove to be insufficient, but they apparently had no detective controls to alert them that the breach occurred judging by their public responses and the silly statements that no evidence of breach had been found.

Furthermore LinkedIn could have made the password information useless if a technique called ‘salting‘ had been used on the stored hashes. This is common of web applications as many store users passwords as a hash in the database.

It would help LinkedIn’s reputation to be as forthcoming as they can with what they know as they know it.

UPDATE: Link to mirror forum here.