When's a password good or bad?

A reasonable article on when good passwords don't matter.

Story here

Another story on the ability to crack 'good' passwords
here

NSA and compromised networks

Apparently the NSA think that their own networks can't be considered clean and security and take the appropriate actions based on that position including increased audit, new network sensors and standardisation.

Story here

Mounting a dd image

Interesting article on how to mount a dd image from a backup or when a hard drive is failing or copied

http://rackerhacker.com/2010/12/14/mounting-a-raw-partition-file-made-with-dd-or-dd_rescue-in-linux/

Hashing tool

New Hashing tool http://secure1st.com/

Vmware vsphere achieves eal 4+ certification

http://virtualization.info/en/news/2010/11/vmware-vsphere-4-0-receives-common-criteria-eal4-certification.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Virtualization_info+%28virtualization.info%29

Interesting comment at end of article on what is not included

Because the vendor itself specifies the Security Target document, it’s really interesting to know what isn’t included, especially when you want to compare the product with comparable products which are also EAL4+ certified.

For ESX/ESXi functionalities not included in the Security Target are:

Simple Network Management Protocol (SNMP), File Transfer Protocol (FTP), Telnet
The use of any authentication method on ESX(i) other than the local password database
VMware Software Development Kit (SDK) tools
The procfs interface (used to manage CPU resources) on the ESX host Service Console
VMware Scripting Application Programming Interface (API) on the ESX host.
VMware Consolidated Backup
Guest OS patch updates via Update Manager
By earning this certification VMware stays way ahead of Citrix for which XenServer 5.6. and XenDesktop 4.0 achieved EAL2 certification in September this year.

four pillars of endpoint security

Interesting article from Microsoft technet

http://technet.microsoft.com/en-gb/magazine/gg213837.aspx

Java outstrips Adobe

Apparently Java is the new Adobe when it comes to malware attacks on PC's. According to a report by Microsoft, the attacks on vulnerable are magnitudes of order greater than adobe, previous number one target of malware.

Image: microsoft.com

Increase in 'Cyber Security' Budget

Taken from BBC News Website

Tenable Nessus YouTube Channel

Tenable have a YouTube channel and have some good walk through's.

FDCC compliance check

Nessus XML parsing with Awk

Article on the HiR blog about Nessus XML output parsing

http://www.h-i-r.net/2010/10/nessus-xml-parsing-with-awk.html

Contains a link to a script to provide a list of IP's to severity rating, here

Seems to work better than some contractors output I could mention....

Sophos articles on malicious code

Couple of pdf's on malicious code.

1. Want my autograph? The use and abuse of digital signatures by malware

http://www.sophos.com/security/technical-papers/digital_signature_abuse.pdf

Interesting article on the use of stolen certificates in modern malware.

2. FINDING RULES FOR HEURISTIC DETECTION OF MALICIOUS PDFS: WITH ANALYSIS OF EMBEDDED EXPLOIT CODE

http://www.sophos.com/security/technical-papers/malicious_pdfs.pdf

What to look for in malicious pdf's

highlights of that one

Heuristic 1: If the PDF contains JavaScript look more closely

Heuristic 2: If the objects or streams are mismatched look more closely

Heuristic 3: If the Cross-Reference (XRef) Table is invalid look more closely

Heuristic 4: The presence of LZWDecode, ASCII85Decode, DCTDecode and Encrypt Filter are indictative of clean files

Heuristic 5: Hash (#) encoded tags are indictative of malicious files

These comments appear to be based on the use of Adobe Acrobat Reader as the infection vector. Sumatra PDF reader, which doesn't support Flash or Javascript, might be an interesting alternative to get away from a lot of these problems.

Team Logo

My take on a team Logo!...

determining and Mounting LUKS based encrypted disk images

Article on how to determine whether a disk image is LUKS based and if it is how to deal with it. It also covers LVM as well.

It does NOT cover brute forcing the password.

Adobe Flash configuration

Found an article on Adobe Flash configuration and the implications of it.

http://blog.eset.com/2010/10/06/adobe-flash-the-spy-in-your-computer-%E2%80%93-part-2

It references a pdf that gives the full spec but the article covers off a few interesting things that perhaps should be considered for flash/internet facing systems.

Geo locating an IP address

Found a site, http://www.infosniper.net, that allows you to simply geo locate a user based on their IP address. Other sites do this but it gives you the option to choose, Google, Microsoft or Yahoo mapping tools.

Might be worth remembering for looking up IP addresses in email headers.

Article on setting effective consumer IT security policies

Good article on what to consider when allowing staff to use their own IT to undertake work away from their corporate environment, i.e. their own laptops, smart phones, use of hotel IT, etc.

Article taken from WindowSecurity.com

Some points to consider.

Security concerns.

• Security threats presented by consumer applications ie webmail, social networking, by employees on company-owned computers.
• Security threats presented by consumer devices (laptops, smart phones, tablets/slates) owned by employees but used to connect to the corporate network.

Security Threats

• Introduction of malware into the corporate network
• Leakage of company data if consumer device is lost or stolen
• Leakage of company information from inside corporate network from consumer apps, i.e. webmail, social networking, instant messenger

The article had some good recommendations, including

• Mandatory encryption of any company data stored on employee-owned devices.
• Mandatory encryption of communications in transit between employee-owned devices and the company network via VPN, DirectAccess, etc.
• Mobile devices used for business should have the capability of being remotely wiped.
• Health checks of laptops connecting to the corporate network, via Network Access Protection (NAP) or Network Access Control (NAC) to ensure that they meet company standards as to virus protection, firewall, service packs/security updates and so forth.
• Enforced sync parsing/protocol filtering and content filtering (DeviceLock) to control what types of data users can synchronize between their mobile devices and company computers.
• A virtual desktop infrastructure whereby virtualized operating systems and/or applications are delivered to employee-owned laptops for work purposes, allowing the company to control the hosted image and isolate it from the local operating system on the laptop.
• Policies that specify what consumer software can be used on corporate computers (for example, social networking web sites vs. iTunes, multi-player games or personal VoIP accounts such as Skype) and enforcement of those policies with Software Restrictions Policy.
• Use of agent-based security configuration management tools to enforce usage policies.
• Develop a comprehensive usage policy that addresses employee use of social networking

Well worth a read as it may cover either issues such as contractors and what they can do with their own laptops in an organisation.

How To – Digital Forensic Imaging In VMware ESXi

Great article on how to forensically image a vmdk file.

https://blogs.sans.org/computer-forensics/2010/10/04/digital-forensic-imaging-vmware-esxi/

National Cyber Security Awareness Month

Apparently it is National Cyber Security Awareness Month in the USA for the month of October. The they have some good banners and posters that might be of interest that could be used elsewhere.



There also appears to be a selection of Tip sheets that might be worthwhile looking at.

• Tip Sheets Documents:

• Gaming Tips for Kids

  
  
• Gaming Tips for Parents

  
  
• Internet Safety and Security Tips For Parents

  
  
• Mobile Tips

  
  
• Social Networking Tips

  
  

Map Based Passwords

Not entirely sure i think this is a great idea but map based passwords have been proposed as an alternative to regular passwords.

Apparently a user memorises a spot on a map but i can't help feeling that a map of London is going to attract a large number of people choosing the London Eye as their location. This method makes shoulder surfing easier i would have thought as a quick glimpse of a map would probably show where a user has chosen, especially if the location is fairly sparse.

Still, beats users writing it down and sticking it on the bottom of the keyboard..........

eEye Digital Security zero day tracker

eEye Digital Security have a Zero-Day tracker page to catalogue the latest zero-day exploits and vulnerabilities.


Link to zero day tracker here

How to tell what version of Ubuntu you are running.

Installed Ubuntu and forgotten what version it is? Upgraded so many times not sure what variant of Ubuntu it now is?

>> cat /etc/issue

Ubuntu 10.04.1 LTS

Really Really persistent cookies

Extremely persistent browser cookies:

evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.

evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.

Specifically, when creating a new cookie, it uses the following storage mechanisms when available:

• Standard HTTP Cookies
• Local Shared Objects (Flash Cookies)
• Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
• Storing cookies in Web History (seriously. see FAQ)
• HTML5 Session Storage
• HTML5 Local Storage
• HTML5 Global Storage
• HTML5 Database Storage via SQLite

And the arms race continues....

Five Irrefutable Laws of Information Security

Apparently these come from the CISO of Intel. Look pretty good to me.

1. Information wants to be free. Once data lands on the endpoint, it’s free. There is a much higher likelihood that data will end up in the wrong hands if it’s on an endpoint. Consequently, be careful about what you allow to be stored on the endpoint. Implement policies that restrict data leakage on endpoints and USB devices.
2. Code wants to be wrong. No matter how hard developers and engineers try, code always has flaws and bugs that open up vulnerabilities. Frequent and consistent patching is essential to keep your network protected to the highest degree possible.
3. Services want to be on. Employees, partners, and customers all want access to your network. Self-service utilities and applications are no doubt a great resource but they can also be the point of vulnerabilities. Frequently test and probe the security capabilities of these types of applications, and regularly look for vulnerabilities and weaknesses that may be exploited by any external or internal user.
4. Users want to click. Whenever users see a button, they click on it! Email borne viruses and malicious websites are the source of many viruses and breaches to network security. Educating your end users is an ongoing effort. People forget. They get lazy and have to be reminded about the dangers that lurk on the internet.
5. Security features want to be bypassed. Sometimes a security feature can be bypassed (even when enabled) depending upon if the state of a laptop is in standby mode, for example. Always review with your IT staff if any security feature can be bypassed by any means.

Recent twitter post

Now i get twitter................

Online safety sites for families

A couple of websites with some information on how to keep your family safe on the Internet.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=87583728-ef14-4703-a649-0fd34bd19d13&displayLang=en

Www.google.co.uk/familysafety

Interesting article

I came across this article as a great metaphor for how people think about security. Original post from http://erratasec.blogspot.com/

Thursday, September 02, 2010
A False Sense of Security
Posted by Robert Graham at 5:14 PM

This article describing Hurricane Earl shows a woman putting a pattern of duct tape on the window. Does this duct tape really help?

No, of course not. Duct tape does nothing to stop the glass for shattering, and does almost nothing to stop fragments flying around.

What it does give people is a false sense of security. For whatever reason, they’ve decided not to buy hurricane shutters (even though they live in a hurricane zone) and not board up their windows with plywood. But they can’t just do nothing, so they resort to sympathetic magic like taping up windows. At least they are putting something on their windows.

Such ignorance is not just useless, but in some cases, can be harmful. Some people believe they should leave their windows open a crack during a hurricane, in order to equalize pressure. The opposite is true: this makes it more likely that the hurricane will pop your roof off. The reason is that wind traveling over your roof creates low pressure above, and wind entering your house creates high pressure inside. This lifts your roof off, in precisely the same manner it lifts an airplane wing when flying.

There are obvious analogies with cybersecurity. People do things, like install anti-virus, firewalls, or WEP, because “doing something” makes them feel good. But they haven’t thought through the cause-and-effect whether doing such things actually work.

0 comments:

Post a Comment

Links to this post

Create a Link

Older Post Home
Subscribe to: Post Comments (Atom)

DNSMadeEasy DDoS

DNSMadeEasy.com suffering a sustained DDoS attack at the moment, somewhere in the region of 50Gb/sec!!

Firewall process map

Another timeline generator

Part of my quest to find a great timeline tool that can be used for both forensics and network investigations.

http://www.learningtools.arts.ubc.ca/timeline.htm

X-Header tool

www.privoxy.org

crunch-server-header

Typical use:

Remove a server header Privoxy has no dedicated action for.
Effect:

Deletes every header sent by the server that contains the string the user supplied as parameter.

Hacking Poster

.htaccess setup on apache2

Set Apache Password Protected Directories With .htaccess File

Step # 1: Make sure Apache is configured to use .htaccess file


Options Indexes Includes FollowSymLinks MultiViews
AllowOverride AuthConfig
Order allow,deny
Allow from all


Save the file and restart Apache

# /etc/init.d/apache-perl restart

Step # 2: Create a password file with htpasswd

htpasswd -c password-file username

Create directory outside apache document root, so that only Apache can access password file. The password-file should be placed somewhere not accessible from the web. This is so that people cannot download the password file:

# mkdir -p /home/secure/

Add new user called remote

# htpasswd -c /home/secure/apasswords remote



Now allow apache user www-data to read our password file:
# chown www-data:www-data /home/secure/apasswords
# chmod 0660 /home/secure/apasswords




Create .htaccess file using text editor:
# cd /var/www/
# vi .htaccess

Add following text:

AuthType Basic
AuthName "Restricted Access"
AuthUserFile /home/secure/apasswords
Require user remote

Save file and exit to shell prompt.
Step # 3: Test your configuration

Fire your browser type url http://ip-address/


When prompted for username and password please supply username remote and password.

Troubleshooting

If password is not accepted or if you want to troubleshoot authentication related problems, open and see apache access.log/error.log files:

# tailf -f /var/log/apache2/access.log
# tailf -f /var/log/apache2/error.log

Timeline tool

Just a reminder to the tool

http://simile.mit.edu/wiki/Timeline

as i always have trouble tracking it down

UPDATE

Now moved to http://www.simile-widgets.org/

Example of the sort of things it can do

http://www.simile-widgets.org/timeline/examples/jfk/jfk.html

Threat Modelling Process

A general high level overview of common steps in the defensive perspective threat modeling are:

* Define the application requirements:
o Identify business objectives
o Identify user roles that will interact with the application
o Identify the data the application will manipulate
o Identify the use cases for operating on that data that the application will facilitate

* Model the application architecture
o Model the components of the application
o Model the service roles that the components will act under
o Model any external dependencies
o Model the calls from roles, to components and eventually to the data store for each use case as identified above

* Identify any threats to the confidentiality, availability and integrity of the data and the application based on the data access control matrix that your application should be enforcing
* Assign risk values and determine the risk responses
* Determine the countermeasures to implement based on your chosen risk responses
* Continually update the threat model based on the emerging security landscape.

Protecting Against Password Reset Attacks

Protecting Against Password Reset Attacks
from Security Bloggers Network by Randy Abrams

As I previously blogged today, the hacker who broke into Sarah Palin’s Yahoo account was convicted on two charges. The way that David Kernall gained access to Palin’s email account was by trying to log into her account, saying “I forgot my password” and then he correctly answered the password reset questions. Some of the questions had answer’s that were public information and others were easily guessed.

When you have to choose a password reset question, always use the wrong answer. There is typically only one correct answer to the questions and often times the answer is known by others. There are an infinite number of wrong answers so it is extremely difficult for an attacker to correctly answer the rest questions if you use the wrong answer.

Now, here’s the tricky part… How do YOU remember the wrong answers? You can write them down. You can use tricks such as a theme. For example, if you like Star Wars, then perhaps your first car was the Millennium Falcon. You first pet was a wookie. For me, I use the comment field in Password Corral.

The password reset attack is a fairly easy attack, but fortunately the defense is also quite easy too!

Checking windows registry for debug entries

http://www.sophos.com/blogs/sophoslabs/?p=9395

Block, Quarantine or Delete?

Taken from http://www.sophos.com/blogs/chetw/g/2010/04/23/mcafee-fix-dangers-virus-handling

McAfee fix and the dangers of virus handling
from Security Bloggers Network by Chester Wisniewski, Sophos

In the security world the news has been dominated for the last 48 hours with tales of woe regarding the false-positive some McAfee customers encountered with svchost.exe. McAfee customers who have run into the problem can find detailed advice on fixing the issue in McAfee KB68780.

Our emotions regarding malware often lead us astray. Instinctively we want to delete or quarantine malware. McAfee's situation shows why this is a bad idea. According to their KB article if your system experienced this issue your copy of C:\Windows\System32\svchosts.exe has either been quarantined or deleted.

When I was in the Sales Engineering department here at Sophos it seemed to be a full-time job explaining to prospects why it was a bad idea to delete or quarantine viruses and other malware. Why on earth would I want a known malicious file to remain on my PC?

Upon the discovery of malicious code, anti-virus solutions are unable to determine with 100% confidence whether the file in question is required to boot, or required for the regular operation of your PC. As a safety precaution it is best to prevent access to the identified file, but leave it in place and by no means delete it. Viruses often infect critical drivers and other key components of the operating system. If you delete these files upon detection (or even move them) you create a much more difficult recovery process.

Fortunately in this case, McAfee customers are able to boot into Safe Mode and take the actions necessary to restore the computer to a fully working state. There is still a lot of manual work involved, but it does not require you to boot a live CD or USB stick to save the system. In cases where more important files have been moved it can be difficult if not impossible to fix once the files have been tampered with.

My Point? For everyday computers in your workplace the best practice is to attempt to cleanup viruses, but not move them to a central area or delete them permanently. For extremely risk-averse environments and mission critical systems you may wish to be more conservative and simply block access to the file and require a human to take action before making system modifications.

The good news is that false positives are few and far between. Recovery is difficult enough, don't complicate it more than necessary.

Take it from an expert - don't transport malware around your computer/network, clean it up in place, and do your best to do no harm.

Sophos 'threatasaurus' pdf

http://www.sophos.com/sophos/docs/eng/papers/sophos-threatsaurus-a-z-en.pdf

Insider threat

HSBC Database Breach Highlights Lack Of Accountability For IT Super Users

http://www.darkreading.com/shared/printableArticle.jhtml?articleID=224200365

Insiders Not The Real Database Threat

http://www.darkreading.com/blog/archives/2010/03/database_inside.html?print=true

Converting epoch time

Convert from epoch time to standard date/time

perl -e 'print scalar(localtime(1226424300)), "\n"'
Wed Nov 12 01:25:00 2008

Convert from standard date/time to epoch time

perl -e 'use Time::Local; print timelocal(0,25,1,11,11,2008), "\n";'
1228929900

nessus update

The list below outlines the changes included in the 4.2.2 release:

• nessus-fetch binary:
• Proxy authentication now works on Windows
• Proxy authentication (NTLM) with a username and domain now works
• In some cases, the last nessus-fetch.rc statement might be ignored

simple log checklist

Simple log check list from Anton Chuvakin.

Link here

Sharepoint server security articles

Couple of articles on securing sharepoint servers

http://technet.microsoft.com/en-gb/magazine/ff625837.aspx

http://technet.microsoft.com/en-gb/library/cc263445.aspx

Interesting password generating web page

Could be hosted on any LAN or Intranet

http://code.google.com/p/hype-free/source/browse/trunk/js_password_generator.html

VMWare security appliance

Interesting security appliance to manage the interactions between the admins and the infrastructure. also can provide non admin users with access to admin level access without ever providing password. covers audit as well.

http://www.hytrust.com/

Cisco ASA/PIX firewall rule checker

Interesting open source VM for checking the rules of Cisco ASA/PIX firewalls. Open source firewalls like iptabes coming soon

http://runplaybook.com/p/11

Vulnerability testing process template

http://www.infosecwriters.com/text_resources/pdf/GYhan.Network.Security.Testing.Process.pdf

Interesting take on Mac vs PC argument

If you follow Information Security at all or have been part of a PC vs. Mac discussion at any level, you’ve probably come across the timeless question of:

What’s more secure, Mac or PC?

Well, there’s an analogy from renowned security researcher Charlie Miller that elegantly captures the answer in a single sentence:

Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town.

In short, having a secure operating system and being safe are two different things. Exposure matters. So even though Windows is technically more secure, people using it are still less safe than if they were to use OS X.

Interesting article on google

http://blogs.zdnet.com/Foremski/?p=1266&tag=nl.e539

Laughed my socks off!!

http://www.youtube.com/watch?v=VjfaCoA2sQk

Seamless mode in virtualbox

Interesting article on makeuseof.com called

VirtualBox’s Seamless Mode: Combine Two Operating Systems Into One Desktop

Seems like an interesting way to protect a windows box from the Internet if you browsed via a version of firefox in Linux.

Interesting Nessus article

http://blog.tenablesecurity.com/2010/03/value-of-credentialed-scanning.html

Interesting article on the benefits of using credentials when doing a Nessus scan. If only everybody read it........

Sandboxing apps in windows

http://websandbox.livelabs.com/

- Posted using BlogPress from my iPhone

Bootable IronKey Device

Ironkey have produced a new device that is bootable and can run a virtualised desktop.

Ironkey have joined up with BeCrypt to provide a Trusted Client.

PKI CPS AND CS Paper

Certificate Policies and Certification
Practice Statements paper from Entrust

www.entrust.com/resources/pdf/cps.pdf

PCI Standards doc

https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf

https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf

Hacking Citrix and Terminal Server Techniques

http://narkolayev-shlomi.blogspot.com/2010/02/hacking-citrix-and-terminal-server.html

PDF exploits 80% of all attacks in 2009

Highlights of report from scansafe report

45% of all Web malware encounters in 2009 were with exploits and iframes indicative of compromised websites;

Malicious PDF files comprised 56% of Web-encountered exploits in 1Q09, growing to 80% of all exploits by 4Q09; Flash exploits encountered via the Web dropped from 40% in 1Q09 to 18% in 4Q09;

Web-encountered exploits in Word and Excel comprised less than 1% of all detected exploits for the year;

Malicious image files comprised 10% of all Web malware encountered in 2009;

http://scansafe.com/downloads/gtr/2009_AGTR.pdf

Stonewood get SSD eclypt drives approved

http://www.networkworld.com/news/2010/021810-stonewoods-ultra-secure-eclypt-drive-gets.html

Setting up subscriptions for event log forwarding

Syslog type functionality for forwarding of windows events off multiple machines to one windows box, without third party support.

 

http://www.windowsecurity.com/articles/Video_Setting_up_Subscriptions_Event_Log_Forwarding.html

If only i could change this to something else....

Copy a virtualbox vdi file

To copy an already created vdi file to create a new virtual machine use the following on a windows box. Should be the same on a Linux machine but obviously the path needs to be modified.

c:\Program Files\Sun\VirtualBox\VBoxManage.exe clonevdi original_file.vdi clone_file.vdi

VMWare directory traversal vulnerability

VMWare directory traversal vulnerability

NMap script for it

http://www.skullsecurity.org/blog/?p=436

perl scri[t

http://fyrmassociates.com/tools/gueststealer-v1.pl

Microsoft Exchange 2007 Audit Articles

A couple of articles on what can be auditted in MS Exchange 2007 Service Pack 2 that might shape what we want and/or can do.

Audit part 1


Audit part 2

Windows Offline Updater returns

Having seen AutoPatcher disappear, Claus has a goos write up on an alternative from here
http://grandstreamdreams.blogspot.com/2007/10/heise-offline-update-40-now-serving.html

USB History for Windows and Linux systems

Good article on usb history in windows and linux systems and where to find the artifacts



http://blog.commandlinekungfu.com/2010/01/episode-77-usb-history.html

Sans Forensic Summit in London

The 2010 European Community Digital Forensics and Incident Response Summit

Dates:

Pre-Summit Course Dates: April 14 - 18, 2010

Summit Dates: April 19 - 20, 2010

Summit Venue:

London, UK

Log review process

Interesting image on the process of log review

Building openvpn on a vps

Pages to read

http://samj.net/2010/01/howto-set-up-openvpn-in-vps.html

http://forums.ramhost.org/bbs/viewtopic.php?pid=4

Installing BackTrack

Guide to install a persistent copy of Backtrack

http://www.infosecramblings.com/backtrack/backtrack-4-usbpersistent-changesnessus/

See also Hak5 video of today 04/02/10

VMWare Videos

http://www.vmwarevideos.com/

Training videos on VMWare use.

Transparent proxy on dd-wrt

Using dd-wrt firmware v24-sp2

edit /tmp/.rc_firewall

iptables -t nat -A PREROUTING -s -d client_ip_address $(nvram get lan_ipaddr) -p tcp --dport 80 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -s client_ip_address -p tcp --dport 80 -j DNAT --to proxy_ip_address:proxy_port

So starter for ten,what's wrong with this URL?hXXp://www.facebook.com/l/14f37;bit.ly/6pe9H9 other than the hxxp partlink not safe for work!

Memory forensics

http://blog.mandiant.com/archives/741

Microsoft issues "Quick Security References" Guides

Microsoft issues new security guides, first two on SQL injection and XSS attacks.

http://www.microsoft.com/downloads/details.aspx?FamilyID=79042476-951f-48d0-8ebb-89f26cf8979d&displaylang=en

Iran targetting search engines

Iran and China in Cyberwar

'God' Mode in Windows 7

God Mode in Windows 7

---

A little trick allows to open a secret control panel in Windows 7 with lots of settings combined by categories in one convenient place.

You will get it in seconds. Just create a new folder in any place on your hard drive with any name, then rename it to:

GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}

Note the new icon appears on this folder. Now, when you open it, you get a long list of more than 280 system settings.

Secure, or not, USB drives

Taken from https://blogs.sans.org/appsecstreetfighter/2010/01/07/client-side-input-validation-is-evil/

Client Side Input Validation is Evil

Posted by Johannes Ullrich on January 7, 2010 – 3:19 pm

Filed under Uncategorized

I said it before, and will say it again: All users are evil. Case in point: The recent secure USB key vulnerability.

These USB keys encrypt data stored on the USB key. Great idea! So now, if you loose the key, you no longer have to worry about your top secret image collection getting viewed by minors.

What was the flaw in the implementation? In order to unlock the device, you have to enter your password into software installed on your laptop / desktop. You would expect the software hashes or encrypts the password, sends it to the device, the device uses the hash to decrypt the files stored on the device. WRONG.

In this case, the client software validates the password by encrypting a specific block of data on the drive. Sadly, this block doesn’t change. So these researchers replaced the software with their own tool that just sends this fixed block of data back to the device (they actually just patched the existing software in memory to bypass the password check). To add insult to injury, these scheme was certified as FIPS-140-2 compliant. The FIPS-140 standard is used by the US federal government to certify encryption devices and FIPS-140-2 compliant USB sticks may be used in some government systems that prohibit regular USB devices. Many companies implement similar policies.

As a web developer, this reminded me of input validation using JavaScript on the client. It is nice for user convenience, but should never in lieu of server side input validation. Or using a simple “admin=Y” cookie to identify a user as administrator. Did I mention all users are evil and out to get you?

The original announcement about the USB issue can be found here: http://www.syss.de/fileadmin/ressources/040_veroeffentlichungen/dokumente/SySS_knackt_Kingston_USB-Stick.pdf