http://directwebremoting.org/blog/joe/2008/12/04/xss_filtering.html
Wednesday, December 17, 2008
Tuesday, December 16, 2008
Afterglow and TShark
Fun with tshark (wireshark) command line
Submitted by daryl on Mon, 11/24/2008 - 23:33
* sniffer
* tshark
* visualization
* wireshark
Get csv output of source and destination IP addresses from a pcap (wireshark or tcpdump) capture file.
tshark -r file.pcap -T fields -E separator=, -e ip.src -e ip.dst
Creates a file similar to:
192.168.1.105,192.168.1.120
192.168.1.105,192.168.1.120
192.168.1.120,192.168.1.105
192.168.1.120,192.168.1.105
72.14.247.83,192.168.1.105
192.168.1.105,72.14.247.83
72.14.247.19,192.168.1.105
192.168.1.105,72.14.247.19
192.168.1.105,74.53.76.3
74.53.76.3,192.168.1.105
192.168.1.105,72.14.247.83
72.14.247.83,192.168.1.105
Then if you have afterglow installed you can create a visualization of the source and destination information by doing the following:
(from the $HOME/afterglow/src/perl/graph directory)
tshark -r file.pcap -T fields -E separator=, -e ip.src -e ip.dst | perl afterglow.pl -c color.properties > file.dot
This creates a filter of the data for drawing a direct graph using neato.
Now using neato create a gif file to display a visualization of the data.
neato -Tgif -o test.gif ./file.dot
Security thoughts
1. Good end point security assumes the network is hostile.
2. Good network security assumes the end point is hostile.
3. Good data security assumes the user is hostile.
Thursday, December 11, 2008
Creating a Patch and Vulnerability Management Program
http://csrc.nist.gov/publications/nistpubs/800-40-Ver2/SP800-40v2.pdf
Wednesday, December 10, 2008
Sunday, December 7, 2008
How to correct "disable Autorun registry key" enforcement in Windows
http://support.microsoft.com/kb/953252
Saturday, December 6, 2008
Friday, December 5, 2008
Wednesday, December 3, 2008
another enterprise password manager
http://www.passlogix.com/products/v-GO_sharedaccountsmanager/benefits/
incident handling cheat sheets
http://www.zeltser.com/network-os-security/security-incident-survey-cheat-sheet.html
http://www.darkreading.com/blog/archives/2008/12/cheat_sheets_fo.html
http://www.zeltser.com/network-os-security/security-incident-questionnaire-cheat-sheet.html
network separation solution
http://www.networkworld.com/news/2008/120208-unisys-stealth-encryption.html?fsrc=rss-security
Friday, November 28, 2008
Thursday, November 20, 2008
eal6+ rated OS
http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=212100421
Tuesday, November 18, 2008
Some stuff to look at
http://www.netwitness.com//solutions/incidentresponse.aspx
http://devcentral.f5.com/weblogs/macvittie/archive/2008/11/07/virtualization-how-to-isolate-application-traffic.aspx
http://startupsecurity.info/blog/2008/11/06/typical-injection-points-in-a-web-application/
http://pauldotcom.com/2008/11/discovering-rogue-access-point.html
Monday, October 20, 2008
new layer 2 protocol
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=210605169
notes from sans pen test conf
Notes from SANS Penetration Testing with Confidence Webcast
SANS Webcast
https://www.sans.org/webcasts/show.php?webcastid=91101
Penetration Testing with Confidence: 10 Keys to Success
Lenny Zeltser
-(slide 3) sometimes the role of the attacker is tricky for a defender
-(slide 5) Asking the right questions about the pentest is essential to success.
**Less about a step by step and more about asking the right questions to get the right pen test for the customer
Question #1
-Is a pen test the type of assessment that is needed?
**Do you need to demonstrate the vulnerability, do you need to exploit it or is finding the vulnerability enough?
*Types of Assessments
-Vulnerability Assessment
-Security Policy Assessment
-Penetration Test
Question #2
-What is the scope?
*if its a pen test, is the customer actually ready to have their network or application exploited
*possibility of system crashes and failures due to failed exploitation attempts
*pen tests are good for shock value, prove that someone can get in and access information
*Scope Questions
-Targets=which specific systems or networks?
-Depth=how far into the network can we go? need to work that out before you start.
-Exclusions=self explanatory
**excluded systems are usually the most jacked up :-)
Question #3
-What tests should be performed?
*Commonly excluded tests ;-(
**mostly because they are so effective
-Denial of Service
-Physical Security
-Social Engineering
*but if its allowed, try to test specific cases that would be violations of policy or training, will people click on links in emails even though the user training says not to
-War Dialing
-Client-side Attacks
Question #4
-Are non-commercial tools allowed?
**Canvas, Core Impact, MSF, standalone exploits, BT are not necessarily "vetted" and you may need to get permission to use them
Question #5
-What is the attacker's profile
*Professional versus amateur
-Target a network for information and money
-Non-targeted attack, attack of opportunity
*knowing what type of attacker will drive the types of tests you do
Question #6
-Is it a White Box or Black Box test?
-White=full knowledge
-Black=no knowledge minus left & right limits
*depending on the test drives the Path of least resistance and attack trees
-Try to strategize before hand, check out slides 19-22, consider making attack trees
Question #7
-What are the time constraints?
-Duration of the test
-Timing restrictions
Question #8
-How to handle issues that may arise during the test?
-Target system crashed
-Sensitive data found
-You're not the first person on the box...eeeeek
*have a contact form for issues that come up
Question #9
-What do you do with the results?
Question #10
-Do I have explicit permission to perform the pen test
-Written permission...CYA
Tuesday, September 30, 2008
Saturday, September 20, 2008
utm product
http://www.networkworld.com/news/2008/091808-watchguard-shows-new-xtm.html?fsrc=rss-security
Wednesday, September 17, 2008
citrix ddc
http://community.citrix.com/blogs/citrite/martinm/2008/03/28/XenDesktop+and+Active+Directory
Sunday, September 14, 2008
rfid chips article
http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_gci1329179,00.html
Saturday, September 13, 2008
Thursday, August 7, 2008
More on GIFARS and Other Dangerous Attacks
http://www.gnucitizen.org/blog/more-on-gifars-and-other-dangerous-attacks/
Wednesday, August 6, 2008
More on GIFARS and Other Dangerous Attacks
http://www.gnucitizen.org/blog/more-on-gifars-and-other-dangerous-attacks/
DNS troubleshooting and analysis
http://searchnetworkingchannel.techtarget.com/tip/0,289483,sid100_gci1322916,00.html
Network World
* Blogs
* Clear Choice Tests
* Videos
* Events
* More
News | Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:App Performance | On Demand Security | Networking Solution | SOA | Value of WDS
* Security
* LANs & WANs
* VoIP & Convergence
* Network Management
* Wireless & Mobile
* Software
* Data Center
* Small/Midmarket Business Networking
* Toolshed
* Subnets
* Cisco Subnet
* Google Subnet
* Microsoft Subnet
* Anti-Malware
* Compliance
* Firewalls / VPN
* NAC
* Services
* Clear Choice Tests
* IT Buyer's Guides
* Whitepapers
* Webcasts
* Broadband
* Ethernet
* Metro Ethernet
* MPLS
* Routers
* WAN Optimization
* Clear Choice Tests
* IT Buyer's Guides
* Whitepapers
* Webcasts
* Value of WDS
* IP PBX
* SIP
* Unified Communications
* VoIP Services
* Clear Choice Tests
* IT Buyer's Guides
* Whitepapers
* Webcasts
* App Management
* Desktop Management
* ITIL
* Patch Management
* Clear Choice Tests
* IT Buyer's Guides
* Whitepapers
* Webcasts
* PDAs / Smart Phones
* WiFi
* WiFi Security
* WiMAX
* Clear Choice Tests
* IT Buyer's Guides
* Whitepapers
* Webcasts
* Applications
* Collaboration / Web 2.0
* Messaging
* SaaS
* SOA
* Windows
* Middleware
* Clear Choice Tests
* IT Buyer's Guides
* Whitepapers
* Webcasts
* Desktops
* NAS
* SANs
* Servers
* Storage Mgmt.
* Utility Computing
* Virtualization
* Green IT
* Clear Choice Tests
* IT Buyer's Guides
* Whitepapers
* Webcasts
* Broadband
* Collaboration
* Equipment
* Mobile
* Networks
* Security
* Storage
* Clear Choice Tests
* IT Buyer's Guides
* Whitepapers
* Webcasts
* IT Asked & Answered
* IT Buyer's Guides
* Whitepapers
* Webcasts
* Social Web
* Close
Digg
Slashdot
Fark
Stumble
MIXX
del.icio.us
Newsvine
Technorati
Your Name:
Your Email Address:
Recipient(s) Email Address:
(Comma separation for multiple addresses)
Your Message:
Cisco routers again take hacker spotlight
http://www.networkworld.com/cgi-bin/mailto/x.cgi?pagetosend=/export/home/httpd/htdocs/news/2008/080508-cisco-routers-again-take-hacker.html&pagename=/news/2008/080508-cisco-routers-again-take-hacker.html&pageurl=http://www.networkworld.com/news/2008/080508-cisco-routers-again-take-hacker.html&site=security
Choosing the right XML security appliance
http://www.networkworld.com/cgi-bin/mailto/x.cgi?pagetosend=/export/home/httpd/htdocs/news/tech/2008/080508-tech-update.html&pagename=/news/tech/2008/080508-tech-update.html&pageurl=http://www.networkworld.com/news/tech/2008/080508-tech-update.html&site=security
Controlling Group Policy Security Settings Refresh and Application
http://www.windowsecurity.com/articles/Controlling-Group-Policy-Security-Settings-Refresh-Application.html?printversion
Microsoft charts security vuln MAPP
http://www.theregister.co.uk/2008/08/05/microsoft_vulnerability_disclosure/print.html
Researcher gives Elvis and bin Laden fake e-passports
http://www.theregister.co.uk/2008/08/06/epassport_alteration_demo/print.html
Microsoft Revamps Patch Tuesday Warning Process
Microsoft Revamps Patch Tuesday Warning Process
Software giant will share vulnerability data early with third parties, create 'Exploitability Index' for newly found flaws
AUGUST 5, 2008 | 11:30 AM
By Tim Wilson
Site Editor, Dark Reading
LAS VEGAS -- Black Hat USA 2008 -- As hackers and researchers get ready to unveil their latest vulnerability findings here, Microsoft today announced that it is improving its methods for sharing and categorizing the vulns that affect Windows and its other applications.
"The introduction of these new programs helps address evolving online threats and provides more practical guidance to assess and manage risk," said Andrew Cushman, director of security response and outreach at Microsoft. "In the race between exploit and protection, Microsoft is committed to shifting the advantage to the security industry."
Microsoft launched the Microsoft Active Protections Program (MAPP), which gives security software providers "advance information" about the vulnerabilities addressed by Microsoft security updates. By sharing its vulnerability findings with third-party security vendors earlier, the software giant hopes to speed the development and delivery of patches and updates that address those flaws.
Microsoft also introduced its "Exploitability Index," which is designed to help users handicap the likelihood that a newly announced vulnerability will immediately result in active exploits by hackers. The Exploitability Index will be included as part of Microsoft’s monthly Patch Tuesday security bulletin releases, beginning in October.
The Exploitability Index might help users decide how swiftly they need to issue the patches that Microsoft issues each month. Currently, the software giant rates vulnerabilities on a scale of "critical," "serious," and so forth. The new index will rate vulnerabilities as "consistent exploit code likely," "inconsistent exploit code likely," or "functional exploit code unlikely."
"This additional information helps customers better assess their unique risks and better prioritize deployment of the monthly security update," Microsoft said.
"The [current] MSRC Bulletin Severity Rating system assumes that exploitation will be successful" a Microsoft spokesperson explained. "For some vulnerabilities where exploitability is high, this assumption is very likely to be true for a broad set of attackers. For other vulnerabilities where exploitability is low, this assumption may only be true by a dedicated attacker putting a lot of resources into ensuring their attack is successful.
"Microsoft will never recommend customers not to deploy an update, regardless of the Bulletin Severity rating or Exploitability Index," the spokesperson continued. "However, this information can assist sophisticated customers prioritize their approach to each month’s release."
The MAPP progrom will enable security software providers to be briefed on Microsoft's vulnerability findings before they are made public, speeding the development of patches and updates, the company said. However, the company isn't allowing researchers into the program. In order to join, a member must "offer commercial protection features to Microsoft customers" to a large number of customers. Members may not sell attack-oriented tools, the company said.
Microsoft will be blogging and offering its own views on the Black Hat conference this week through a new offering called the Microsoft Black Hat pressroom.
Monday, July 21, 2008
Tuesday, July 15, 2008
S.F. officials locked out of computer network
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/14/BAOS11P1M5.DTL
Tuesday, July 1, 2008
Sunday, June 29, 2008
folder2iso
freeware software to create iso from folder structure. useful fir mounting folders in vmware, creating dvd of files for iso burner to burn
http://www.trustfm.net/divx/SoftwareFolder2Iso.php?b2=1
Friday, June 27, 2008
Tuesday, June 24, 2008
Tuesday, June 17, 2008
remove speaker notes from powerpoint slides
Set objPPT = CreateObject("PowerPoint.Application")
objPPT.Visible = True
Set objPresentation = objPPT.Presentations.Open("C:\Scripts\Test.ppt")
Set colSlides = objPresentation.Slides
For Each objSlide in colSlides
objSlide.NotesPage.Shapes(2).TextFrame.TextRange = ""
Next
So how does this chunk of code actually work? Well, to begin with, we create an instance of the PowerPoint.Application object and then set the Visible property to True; that gives us a running instance of PowerPoint that we can see on screen. The moment we have our instance of PowerPoint in hand we use the Open method to open the presentation C:\Scripts\Test.ppt, then use this line of code to retrieve a collection of all the slides in that presentation:
Set colSlides = objPresentation.Slides
And then we stop to catch our breath for a moment. Whew!
Fortunately it’s all downhill from here. To begin with, we set up a For Each loop to loop through each slide in the collection. For each of those slides all we do is execute the following line of code:
objSlide.NotesPage.Shapes(2).TextFrame.TextRange = ""
And you’re right: that is a crazy-looking line of code, isn’t it? Why is it so crazy-looking? Well, as it turns out, each slide has a NotesPage object that contains the speaker notes; the second shape on the NotesPage is a TextFrame object where the notes actually reside. To delete the notes for a given slide we simply need to set the value of the TextFrame’s TextRange property to an empty string.
Wow; now we really need to stop to catch our breath.
Fortunately, though, we’re pretty much done here; all we have to do now is – wait a minute: are you sure you’re one of the first 935 people to read this column? Well, OK; we have to take your word for it. Anyway, all we have to do now is go back to the top of the loop and repeat the process with the next slide in the presentation. And then we go back and do it all over a third time, and then a fourth time, continuing along these same lines until we’ve removed the notes from each and every slide in the presentation.
Now, what if you wanted to do this for all the .PPT files in a folder? Well, that’s easy; all you have to do is run this script:
Set objPPT = CreateObject("PowerPoint.Application")
objPPT.Visible = True
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set FileList = objWMIService.ExecQuery _
("ASSOCIATORS OF {Win32_Directory.Name='C:\Scripts'} Where " _
& "ResultClass = CIM_DataFile")
For Each objFile In FileList
If objFile.Extension = "ppt" Then
Set objPresentation = objPPT.Presentations.Open(objFile.Name)
Set colSlides = objPresentation.Slides
For Each objSlide in colSlides
objSlide.NotesPage.Shapes(2).TextFrame.TextRange = ""
Next
objPresentation.Save
objPresentation.Close
End If
Next
objPPT.Quit
And because someone is bound to ask, what if you did need a script that could echo back the speaker notes for an entire presentation? No problem. The following script opens the file Test.ppt and retrieves a collection consisting of all the slides in that presentation. For each slide the script echoes back the slide title (objSlide.Shapes(1).TextFrame.TextRange) and the speaker notes:
Set objPPT = CreateObject("PowerPoint.Application")
objPPT.Visible = True
Set objPresentation = objPPT.Presentations.Open("C:\Scripts\Test.ppt")
Set colSlides = objPresentation.Slides
For Each objSlide in colSlides
Wscript.Echo objSlide.Shapes(1).TextFrame.TextRange
Wscript.Echo objSlide.NotesPage.Shapes(2).TextFrame.TextRange
Wscript.Echo
Next
That should do it, TW; we hope you find this script useful, and we hope you enjoyed the 935thHey, Scripting Guy! column. We should level with you, however: believe it or not, there really isn’t any significance to the number 935. (Although 935 was the year when Haakon the Good, son of Harald Fairhair, reunited the Norwegian lands.) The truth is, we decided to celebrate column 935 for one reason and one reason only: when you’re a Scripting Guy, you never know when a given column might be your last. See you all tomorrow!
rdp tables metric version
The RDP has three tables...
Table 1 shows how depths and times interact to yield a certain nitrogen load. Depths are in metere and times are in minutes; Nitrogen levels are expressed with letter designations A-Z. A is little. Z is a lot. We call these letter designations pressure groups, abbreviated "pg".
Table 2 shows time intervals spent on the surface following a dive. When you surface after a dive your body begins losing the nitrogen built up during the dive. This table lets you know how much. The period of time spent on the surface in between dives is called the surface interval, abbreviated "si".
Table 3 is on the flip side of the RDP. (It is not labeled "Table 3" but that's what we'll call it from now on.) Use it to plan repetitive dives. If you do only one dive in a day, you won't need this table.
We've worked out some sample dive profiles to give you practice using the RDP. Read the instruction manual that came with your RDP and then work through these problems. If you get stuck, review the instruction manual and read the step-by-step solution we've given you after each example.
Get into the habit of using a dive planning profile for every dive. It looks like this.
diveprofile.jpg
Example 1
Finding a No-decompression Limit
What is the no-decompression limit for a dive to 14 meters?
To find this answer use Table 1. Note that depths in meters are given in the top row of the table. Find 14 meters. Follow down the column under 14 meters until you come to the last box. It is highlighted in black. It says 98 minutes. This is the no-decompression limit in minutes for a dive to 14 meters. (The no-decompression limit for each depth is in the last box in the column for that depth and is highlighted in black.)
Example 2
Finding the Pressure Group After a Single Dive
You dive to 14 meters and stay down for 32 minutes. What is your pressure group at the end of the dive?
Draw the diagram filling in all the information you have.
diveprofile2a.jpg
Next, find the depth in the top row of table 1. Follow down in the column under 14 meters until you find 32 minutes. Now, follow the row with 32 minutes to the left until you find a letter, in this case, the letter "H." The table is telling you that after a dive to 14 meters for 32 minutes, you are in pressure group "H." Write the "H" in your dive profile diagram.
diveprofile2B.jpg
ALWAYS Round Up!
ALWAYS Round Up!
Pop Quiz: When using the tables, if the exact depth or time you're working with is not on the table, should you round UP or DOWN?)
Do this next profile. It demonstrates how to calculate a dive when the exact depth and/or time you're using is not on the table.
diveprofile2c.jpg
Find the dive depth in table 1. Fifteen meters is not on the table so round up to the next greatest depth, in this case 16 meters. (ALWAYS round up. It makes your dive planning more conservative and therefore safer.) Follow down the 16 meter column to find 33 minutes. It's not on the table either. Again, ROUND UP, in this case, to 35 minutes. To find your ending pressure group, follow the 35-minute row to the right until you meet the letter "K." "K" is your ending pressure group after a dive to 15 meters for 33 minutes.
Example 3
Finding the Pressure Group After a Surface Interval
In Problem 2 you ended a dive in pressure group K. What will the new pressure group be after you stay on the surface for 28 minutes?
diveprofile3a.jpg
To find this answer starting from the pressure group designation K on the table, continue following in that row until you find 28 minutes (:28). In this case you'd choose the box with :23 to :29 minutes since 28 minutes is between the two. From that box, follow the column straight down to the bottom to the letter G. Gis the new pressure group after a 28-minute surface interval.
diveprofile3b.jpg
Example 4
Finding the Maximum Allowable Bottom Time for a Repetitive Dive
diveprofile4a.jpg
In problem 3 you ended in pressure group G after your first dive and a surface interval. Now you want to make another dive to 14 meters. What is the maximum allowable bottom time for this dive?
This is a repetitive dive so you will use the table on the flip side of the RDP. The depths in meters run down the left side of the table. Pressure groups run across the top of the table. Since you are in pressure group G, find G on the top row of the table. Now find the depth you plan to dive to, 14 meters. Find the square where 14 meters and pressure group G intersect. There are two numbers in the box, one blue and one white. The blue number is the maximum allowable bottom time. The answer to this problem is 69 minutes. This tells you that if you are in pressure group G at the start of a dive you can safely dive to 14 meters for no more than 69 minutes.
diveprofile4b.jpg
Example 5
Finding the Pressure Group After a Repetitive Dive
You and your dive buddy dive to 21 meters and stay down for 28 minutes. Following the dive you get back on the boat and stay on the surface for one hour and five minutes. On your second dive you go to 18 meters and stay for 30 minutes (your Actual Bottom Time (ABT). What is your pressure group after the second dive?
diveprofile5a.jpg
Start by finding your pressure group after the first dive. Twenty-one meterrs rounded up to 22 for 28 minutes puts you in pressure group N. After a one hour and five minute surface interval your pressure group has dropped to D. Now flip the chart over to the repetitive dive table. Find pressure group D at the top of the table. Find the depth of the dive, 18 meters, in the column at the left edge of the table. Now find the square where pressure group D and 18 meters intersect. There are two numbers in the square, one blue highlighted, the other white highlighted. The white number is the residual nitrogen time (RNT) in minutes, 16. This number tells you how much nitrogen is left over in your body tissues from your first dive. What do you do with this number? Remember the word "RAT."
R = Residual Nitrogen Time
+ A = Actual Bottom Time
_____________________
T = Total Bottom Time
In our problem:
16
+ 30
________
46
R, the RNT is 16. A, ABT, is 30. Add them together to get what we call the Total Bottom Time (T). Forty-six is the sum of the RNT and the ABT. This time, the Total Bottom Time is what you will use to complete the dive profile.
diveprofile5b.jpg
To get the final pressure group just flip back to table 1. You are diving to 18 meters for 46 minutes (not the actual bottom time of 36 minutes). The result is pressure group R.
diveprofile5c.jpg
Example 6
Finding a Minimum Surface Interval
You may know the exact profiles of dives you'd like to do. For example, if you want to do two dives on a wreck one after another, you would have to figure out how long a surface interval you'll need between the two dives in order to stay safely within no-decompression limits. In other words, you must find the minimum surface interval.
You want to dive the wreck of the Hesperus in 14 meters of water. Based on what you know to be your usual rate of air consumption you estimate you'll be able to stay down for 68 minutes. Since there's so much to see on the wreck that won't be enough time so you want to do a second dive. Again, you'll be in 14 meters of water and will stay down for 68 minutes. How long a surface interval must you have?
Start by finding the pressure group after the first dive. You know how to do that!
diveprofile6a.jpg
After the first dive, you are in pressure group S. Now you have to find the pressure group that you must be in before you start your second dive. Since it's a repetitive dive, use table 3.
Find the depth of the second dive, 14 meters, in the depth column of table 3. Next, follow across the 14 meters row in the blue numbers until you come to a number that is greater than or equal to the time of the second dive, 68 minutes. Sixty-eight minutes is not in the table, so, as always, ROUND UP to 69. Follow up in the column where you find the 69 to the top row of the chart. There you'll find the letter G telling you that you must have a surface interval sufficient to get you down to pressure group G before you start your second dive. Fill it in on your profile.
diveprofile6b.jpg
There's only one more step: find the minimum surface interval needed to reduce your residual nitrogen from pressure group S to pressure group G. Flip to the surface interval table. Find the higher pressure group, S, in the diagonal line of pressure groups bordering the left side of the table. Find the lower pressure group, G, in the row of pressure groups along the bottom of Table 2. Follow across the one and up the other until the S row and G column intersect. There are two times in the box, :57 and 1:03. You want to know the minimum surface interval so the lower of the two numbers is the correct answer. Fifty-seven minutes is your minimum surface interval. Fill it in on your diagram.
diveprofile6c.jpg
Now you've thoroughly learned the RDP. If you ever forget how to use it, read the instruction manual, come back to our website or contact us for help. It's important that you know the RDP even if you have a computer and rely on it. Suppose you spend lots of money to go on a dive vacation and your computer malfunctions before you start your dives. You can whip out your RDP and track your dives with it. Even worse, suppose your computer failed during a series of dives. If you'd kept track of your dives with the RDP as back up for your computer, you could fall back on that and continue your dives. If you don't know where you are on the RDP when your computer fails, the only safe thing to do would be to end your diving for the day. Always using the RDP can be a dive saver.
Friday, June 13, 2008
incident response planning
http://www.comptechdoc.org/independent/security/policies/incident-response-plan.html
forensicreadiness pdf
www.utica.edu/academic/institutes/ecii/publications/articles/A0B13342-B4E0-1F6A-156F501C49CF5F51.pdf
Sunday, June 8, 2008
hide powershell
Show-PowerShell / Hide-PowerShell
During the Week of WPF, someone requested an example of how to minimize the PowerShell window.
Here's
a quick module to make it happen. Copy/paste the code below into
Documents\WindowsPowerShell\Packages\PowerShell\PowerShell.psm1
$script:showWindowAsync = Add-Type –memberDefinition @”
[DllImport("user32.dll")]
public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);
“@ -name “Win32ShowWindowAsync” -namespace Win32Functions –passThrufunction Show-PowerShell() {
$null = $showWindowAsync::ShowWindowAsync((Get-Process –id $pid).MainWindowHandle, 10)
}function Hide-PowerShell() {
$null = $showWindowAsync::ShowWindowAsync((Get-Process –id $pid).MainWindowHandle, 2)
}
Now you can use the code below to Show and Hide PowerShell:
Add-Module PowerShell
# Minimize PowerShell
Hide-PowerShell
sleep 2
# Then Restore it
Show-PowerShell
Hope this Helps,
James Brundage[MSFT]
Friday, May 30, 2008
vmware server on hardy heron
If you are facing the same issue, then here is the full guide to install VMware Server (works for VMware Workstation 6.5 beta too) and get it working in Hardy Heron:
Download VMware Server 1.0.5 to your home folder
Download the patch file vmware-any-any-update-116.tgz to your home folder.
Extract the Vmware-server-1.0.5-80187.tar.gz to your home folder (either via Archive manager or type tar zxf Vmware-server-1.0.5-80187.tar.gz in the terminal)
Extract the vmware-any-any-update-116.tgz to your home folder (either via Archive Manager or type tar zxf vmware-any-any-update-116.tgz in the terminal)
Install the necessary dependencies
sudo apt-get install linux-headers-`uname -r` build-essential
sudo apt-get install xinetd gcc-3.4
If you are using 64 bits system, you have to install the additional files
sudo apt-get install ia32-libs
Run the VMware Server installer
cd vmware-server-distrib
sudo ./vmware-install.pl
You will be prompted to answer some questions. Press ‘Enter’ to select the default answer. When it reaches the point that requires you to run vmware-config.pl, type ‘No‘. The installer will exit.
Next, apply the patch
cd
cd vmware-any-any-update116
sudo ./runme.pl
This time, press ‘Enter’ for all the questions and enter ‘Yes‘ to run the vmware-comfig.pl.
Once it has finished compiling, you should now see the VMware console in your Applications->System Tools. If not, you can start VMware Server by typing vmware in the terminal.
When you launch the application, it might generate an error message saying that it can’t find the cairo version. No worry, just copy the files over and it will work.
sudo cp /usr/lib/libpng12.so.0 /usr/lib/vmware/lib/libpng12.so.0/
sudo cp /lib/libgcc_s.so.1 /usr/lib/vmware/lib/libgcc_s.so.1/
For 64 bit users
sudo ln -s /usr/lib32 /usr/l32
sudo sed -i -e ’s/usr\/lib/usr\/l32/g’ /usr/lib32/gtk-2.0/2.10.0/loader-files.d/libgtk2.0-0.loaders
sudo sed -i -e ’s/usr\/lib/usr\/l32/g’ /usr/lib32/libgdk_pixbuf-2.0.so.0.1200.9
That’s it. Your VMware Server should be working now.
Thursday, May 29, 2008
Tuesday, May 27, 2008
AUSCert comment
Brian Snow’s (Former Technical Director for NSA’s Information Assurance
Directorate) talk on Assurance was pretty good. There were some leaps
to be made from an open market to where he figures things should be,
but given that he was there with a “Security Evangelist” title, his
guidance was pretty much spot on. He provided a quote from Robert
Morris Sr. to support one of his arguments, I thought it quite clever: “Systems built without requirements can’t fail, they merely offer surprises. Usually Unpleasant. –Robert Morris”. He also shared the observation about the one-word synopsis for computers and security: computer::sharing && security::isolation, there’s indeed a bit of irony in this.
Directorate) talk on Assurance was pretty good. There were some leaps
to be made from an open market to where he figures things should be,
but given that he was there with a “Security Evangelist” title, his
guidance was pretty much spot on. He provided a quote from Robert
Morris Sr. to support one of his arguments, I thought it quite clever: “Systems built without requirements can’t fail, they merely offer surprises. Usually Unpleasant. –Robert Morris”. He also shared the observation about the one-word synopsis for computers and security: computer::sharing && security::isolation, there’s indeed a bit of irony in this.
Monday, May 26, 2008
Sunday, May 4, 2008
iptables visualisation
http://www.quietearth.us/articles/2006/11/17/Iptables-3D-connection-visualization-with-doomcube-and-netcat
Friday, May 2, 2008
Tuesday, March 25, 2008
Intel Researching New Approach to Laptop Security
http://www.darkreading.com/document.asp?doc_id=149076&f_src=darkreading_default
software approach to analysing users usage on laptops
How Real is the threat from Web based Malware?
http://www.sophos.com/security/blog/2008/03/1202.html?_log_from=rss
data from blog
1 in every 206 page requests (0.48%) were blocked as being either a medium or high risk.
1 in every 465 page requests (0.22%) were high risk.
1 in every 766 page requests (0.13%) were sites known to be hosting malware.
glossary of spam terms
taken from sophos blog
http://www.sophos.com/security/spam-glossary.html#mousetrapping
Sunday, March 23, 2008
SNORT version 3
http://www.darkreading.com/document.asp?doc_id=148901&f_src=darkreading_default
new version of snort, supposedly self learning of network environment
Dual factor authentication solution
http://www.darkreading.com/document.asp?doc_id=148946&f_src=darkreading_default
Dual factor authentication tokens in US Treasury department. Low cost and disability aware