Friday, December 17, 2010
When's a password good or bad?
Story here
Another story on the ability to crack 'good' passwords
here
NSA and compromised networks
Apparently the NSA think that their own networks can't be considered clean and security and take the appropriate actions based on that position including increased audit, new network sensors and standardisation.
Story here
Wednesday, December 15, 2010
Mounting a dd image
Interesting article on how to mount a dd image from a backup or when a hard drive is failing or copied
http://rackerhacker.com/2010/12/14/mounting-a-raw-partition-file-made-with-dd-or-dd_rescue-in-linux/
Friday, November 5, 2010
Vmware vsphere achieves eal 4+ certification
http://virtualization.info/en/news/2010/11/vmware-vsphere-4-0-receives-common-criteria-eal4-certification.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Virtualization_info+%28virtualization.info%29
Interesting comment at end of article on what is not included
Because the vendor itself specifies the Security Target document, it’s really interesting to know what isn’t included, especially when you want to compare the product with comparable products which are also EAL4+ certified.
For ESX/ESXi functionalities not included in the Security Target are:
Simple Network Management Protocol (SNMP), File Transfer Protocol (FTP), Telnet
The use of any authentication method on ESX(i) other than the local password database
VMware Software Development Kit (SDK) tools
The procfs interface (used to manage CPU resources) on the ESX host Service Console
VMware Scripting Application Programming Interface (API) on the ESX host.
VMware Consolidated Backup
Guest OS patch updates via Update Manager
By earning this certification VMware stays way ahead of Citrix for which XenServer 5.6. and XenDesktop 4.0 achieved EAL2 certification in September this year.
four pillars of endpoint security
Interesting article from Microsoft technet
http://technet.microsoft.com/en-gb/magazine/gg213837.aspx
Tuesday, October 19, 2010
Java outstrips Adobe

Apparently Java is the new Adobe when it comes to malware attacks on PC's. According to a report by Microsoft, the attacks on vulnerable are magnitudes of order greater than adobe, previous number one target of malware.
Monday, October 18, 2010
Tuesday, October 12, 2010
Tenable Nessus YouTube Channel
FDCC compliance check
Nessus XML parsing with Awk
http://www.h-i-r.net/2010/10/nessus-xml-parsing-with-awk.html
Contains a link to a script to provide a list of IP's to severity rating, here
Seems to work better than some contractors output I could mention....
Sophos articles on malicious code
1. Want my autograph? The use and abuse of digital signatures by malware
http://www.sophos.com/security/technical-papers/digital_signature_abuse.pdf
Interesting article on the use of stolen certificates in modern malware.
2. FINDING RULES FOR HEURISTIC DETECTION OF MALICIOUS PDFS: WITH ANALYSIS OF EMBEDDED EXPLOIT CODE
http://www.sophos.com/security/technical-papers/malicious_pdfs.pdf
What to look for in malicious pdf's
highlights of that one
Heuristic 1: If the PDF contains JavaScript look more closely
Heuristic 2: If the objects or streams are mismatched look more closely
Heuristic 3: If the Cross-Reference (XRef) Table is invalid look more closely
Heuristic 4: The presence of LZWDecode, ASCII85Decode, DCTDecode and Encrypt Filter are indictative of clean files
Heuristic 5: Hash (#) encoded tags are indictative of malicious files
These comments appear to be based on the use of Adobe Acrobat Reader as the infection vector. Sumatra PDF reader, which doesn't support Flash or Javascript, might be an interesting alternative to get away from a lot of these problems.
Monday, October 11, 2010
Thursday, October 7, 2010
determining and Mounting LUKS based encrypted disk images
Adobe Flash configuration
Geo locating an IP address

Found a site, http://www.infosniper.net, that allows you to simply geo locate a user based on their IP address. Other sites do this but it gives you the option to choose, Google, Microsoft or Yahoo mapping tools.
Wednesday, October 6, 2010
Article on setting effective consumer IT security policies
- Security threats presented by consumer applications ie webmail, social networking, by employees on company-owned computers.
- Security threats presented by consumer devices (laptops, smart phones, tablets/slates) owned by employees but used to connect to the corporate network.
- Introduction of malware into the corporate network
- Leakage of company data if consumer device is lost or stolen
- Leakage of company information from inside corporate network from consumer apps, i.e. webmail, social networking, instant messenger
- Mandatory encryption of any company data stored on employee-owned devices.
- Mandatory encryption of communications in transit between employee-owned devices and the company network via VPN, DirectAccess, etc.
- Mobile devices used for business should have the capability of being remotely wiped.
- Health checks of laptops connecting to the corporate network, via Network Access Protection (NAP) or Network Access Control (NAC) to ensure that they meet company standards as to virus protection, firewall, service packs/security updates and so forth.
- Enforced sync parsing/protocol filtering and content filtering (DeviceLock) to control what types of data users can synchronize between their mobile devices and company computers.
- A virtual desktop infrastructure whereby virtualized operating systems and/or applications are delivered to employee-owned laptops for work purposes, allowing the company to control the hosted image and isolate it from the local operating system on the laptop.
- Policies that specify what consumer software can be used on corporate computers (for example, social networking web sites vs. iTunes, multi-player games or personal VoIP accounts such as Skype) and enforcement of those policies with Software Restrictions Policy.
- Use of agent-based security configuration management tools to enforce usage policies.
- Develop a comprehensive usage policy that addresses employee use of social networking
Tuesday, October 5, 2010
How To – Digital Forensic Imaging In VMware ESXi
Wednesday, September 29, 2010
National Cyber Security Awareness Month

Apparently it is National Cyber Security Awareness Month in the USA for the month of October. The they have some good banners and posters that might be of interest that could be used elsewhere.
There also appears to be a selection of Tip sheets that might be worthwhile looking at.
Map Based Passwords
Not entirely sure i think this is a great idea but map based passwords have been proposed as an alternative to regular passwords.
Apparently a user memorises a spot on a map but i can't help feeling that a map of London is going to attract a large number of people choosing the London Eye as their location. This method makes shoulder surfing easier i would have thought as a quick glimpse of a map would probably show where a user has chosen, especially if the location is fairly sparse.
Still, beats users writing it down and sticking it on the bottom of the keyboard..........
eEye Digital Security zero day tracker
Link to zero day tracker here
How to tell what version of Ubuntu you are running.
>> cat /etc/issue
Ubuntu 10.04.1 LTS
Thursday, September 23, 2010
Really Really persistent cookies
Extremely persistent browser cookies:
evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.
Specifically, when creating a new cookie, it uses the following storage mechanisms when available:
- Standard HTTP Cookies
- Local Shared Objects (Flash Cookies)
- Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
- Storing cookies in Web History (seriously. see FAQ)
- HTML5 Session Storage
- HTML5 Local Storage
- HTML5 Global Storage
- HTML5 Database Storage via SQLite
And the arms race continues....
Monday, September 20, 2010
Five Irrefutable Laws of Information Security
- Information wants to be free. Once data lands on the endpoint, it’s free. There is a much higher likelihood that data will end up in the wrong hands if it’s on an endpoint. Consequently, be careful about what you allow to be stored on the endpoint. Implement policies that restrict data leakage on endpoints and USB devices.
- Code wants to be wrong. No matter how hard developers and engineers try, code always has flaws and bugs that open up vulnerabilities. Frequent and consistent patching is essential to keep your network protected to the highest degree possible.
- Services want to be on. Employees, partners, and customers all want access to your network. Self-service utilities and applications are no doubt a great resource but they can also be the point of vulnerabilities. Frequently test and probe the security capabilities of these types of applications, and regularly look for vulnerabilities and weaknesses that may be exploited by any external or internal user.
- Users want to click. Whenever users see a button, they click on it! Email borne viruses and malicious websites are the source of many viruses and breaches to network security. Educating your end users is an ongoing effort. People forget. They get lazy and have to be reminded about the dangers that lurk on the internet.
- Security features want to be bypassed. Sometimes a security feature can be bypassed (even when enabled) depending upon if the state of a laptop is in standby mode, for example. Always review with your IT staff if any security feature can be bypassed by any means.
Friday, September 17, 2010
Friday, September 10, 2010
Online safety sites for families
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=87583728-ef14-4703-a649-0fd34bd19d13&displayLang=en
Www.google.co.uk/familysafety
Friday, September 3, 2010
Interesting article
Thursday, September 02, 2010
A False Sense of Security
Posted by Robert Graham at 5:14 PM
This article describing Hurricane Earl shows a woman putting a pattern of duct tape on the window. Does this duct tape really help?
No, of course not. Duct tape does nothing to stop the glass for shattering, and does almost nothing to stop fragments flying around.
What it does give people is a false sense of security. For whatever reason, they’ve decided not to buy hurricane shutters (even though they live in a hurricane zone) and not board up their windows with plywood. But they can’t just do nothing, so they resort to sympathetic magic like taping up windows. At least they are putting something on their windows.
Such ignorance is not just useless, but in some cases, can be harmful. Some people believe they should leave their windows open a crack during a hurricane, in order to equalize pressure. The opposite is true: this makes it more likely that the hurricane will pop your roof off. The reason is that wind traveling over your roof creates low pressure above, and wind entering your house creates high pressure inside. This lifts your roof off, in precisely the same manner it lifts an airplane wing when flying.
There are obvious analogies with cybersecurity. People do things, like install anti-virus, firewalls, or WEP, because “doing something” makes them feel good. But they haven’t thought through the cause-and-effect whether doing such things actually work.
0 comments:
Post a Comment
Links to this post
Create a Link
Older Post Home
Subscribe to: Post Comments (Atom)
Saturday, August 7, 2010
DNSMadeEasy DDoS
Tuesday, June 15, 2010
Monday, June 7, 2010
Another timeline generator
http://www.learningtools.arts.ubc.ca/timeline.htm
Monday, May 31, 2010
X-Header tool
crunch-server-header
Typical use:
Remove a server header Privoxy has no dedicated action for.
Effect:
Deletes every header sent by the server that contains the string the user supplied as parameter.
Monday, May 17, 2010
.htaccess setup on apache2
Step # 1: Make sure Apache is configured to use .htaccess file
Options Indexes Includes FollowSymLinks MultiViews
AllowOverride AuthConfig
Order allow,deny
Allow from all
Save the file and restart Apache
# /etc/init.d/apache-perl restart
Step # 2: Create a password file with htpasswd
htpasswd -c password-file username
Create directory outside apache document root, so that only Apache can access password file. The password-file should be placed somewhere not accessible from the web. This is so that people cannot download the password file:
# mkdir -p /home/secure/
Add new user called remote
# htpasswd -c /home/secure/apasswords remote
Now allow apache user www-data to read our password file:
# chown www-data:www-data /home/secure/apasswords
# chmod 0660 /home/secure/apasswords
Create .htaccess file using text editor:
# cd /var/www/
# vi .htaccess
Add following text:
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /home/secure/apasswords
Require user remote
Save file and exit to shell prompt.
Step # 3: Test your configuration
Fire your browser type url http://ip-address/
When prompted for username and password please supply username remote and password.
Troubleshooting
If password is not accepted or if you want to troubleshoot authentication related problems, open and see apache access.log/error.log files:
# tailf -f /var/log/apache2/access.log
# tailf -f /var/log/apache2/error.log
Sunday, May 16, 2010
Timeline tool
http://simile.mit.edu/wiki/Timeline
as i always have trouble tracking it down
UPDATE
Now moved to http://www.simile-widgets.org/
Example of the sort of things it can do
http://www.simile-widgets.org/timeline/examples/jfk/jfk.html
Tuesday, May 4, 2010
Threat Modelling Process
* Define the application requirements:
o Identify business objectives
o Identify user roles that will interact with the application
o Identify the data the application will manipulate
o Identify the use cases for operating on that data that the application will facilitate
* Model the application architecture
o Model the components of the application
o Model the service roles that the components will act under
o Model any external dependencies
o Model the calls from roles, to components and eventually to the data store for each use case as identified above
* Identify any threats to the confidentiality, availability and integrity of the data and the application based on the data access control matrix that your application should be enforcing
* Assign risk values and determine the risk responses
* Determine the countermeasures to implement based on your chosen risk responses
* Continually update the threat model based on the emerging security landscape.
Sunday, May 2, 2010
Protecting Against Password Reset Attacks
from Security Bloggers Network by Randy Abrams
As I previously blogged today, the hacker who broke into Sarah Palin’s Yahoo account was convicted on two charges. The way that David Kernall gained access to Palin’s email account was by trying to log into her account, saying “I forgot my password” and then he correctly answered the password reset questions. Some of the questions had answer’s that were public information and others were easily guessed.
When you have to choose a password reset question, always use the wrong answer. There is typically only one correct answer to the questions and often times the answer is known by others. There are an infinite number of wrong answers so it is extremely difficult for an attacker to correctly answer the rest questions if you use the wrong answer.
Now, here’s the tricky part… How do YOU remember the wrong answers? You can write them down. You can use tricks such as a theme. For example, if you like Star Wars, then perhaps your first car was the Millennium Falcon. You first pet was a wookie. For me, I use the comment field in Password Corral.
The password reset attack is a fairly easy attack, but fortunately the defense is also quite easy too!
Saturday, April 24, 2010
Friday, April 23, 2010
Block, Quarantine or Delete?
McAfee fix and the dangers of virus handling
from Security Bloggers Network by Chester Wisniewski, Sophos
In the security world the news has been dominated for the last 48 hours with tales of woe regarding the false-positive some McAfee customers encountered with svchost.exe. McAfee customers who have run into the problem can find detailed advice on fixing the issue in McAfee KB68780.
Our emotions regarding malware often lead us astray. Instinctively we want to delete or quarantine malware. McAfee's situation shows why this is a bad idea. According to their KB article if your system experienced this issue your copy of C:\Windows\System32\svchosts.exe has either been quarantined or deleted.
When I was in the Sales Engineering department here at Sophos it seemed to be a full-time job explaining to prospects why it was a bad idea to delete or quarantine viruses and other malware. Why on earth would I want a known malicious file to remain on my PC?
Upon the discovery of malicious code, anti-virus solutions are unable to determine with 100% confidence whether the file in question is required to boot, or required for the regular operation of your PC. As a safety precaution it is best to prevent access to the identified file, but leave it in place and by no means delete it. Viruses often infect critical drivers and other key components of the operating system. If you delete these files upon detection (or even move them) you create a much more difficult recovery process.
Fortunately in this case, McAfee customers are able to boot into Safe Mode and take the actions necessary to restore the computer to a fully working state. There is still a lot of manual work involved, but it does not require you to boot a live CD or USB stick to save the system. In cases where more important files have been moved it can be difficult if not impossible to fix once the files have been tampered with.
My Point? For everyday computers in your workplace the best practice is to attempt to cleanup viruses, but not move them to a central area or delete them permanently. For extremely risk-averse environments and mission critical systems you may wish to be more conservative and simply block access to the file and require a human to take action before making system modifications.
The good news is that false positives are few and far between. Recovery is difficult enough, don't complicate it more than necessary.
Take it from an expert - don't transport malware around your computer/network, clean it up in place, and do your best to do no harm.
Friday, April 16, 2010
Sophos 'threatasaurus' pdf
Insider threat
http://www.darkreading.com/shared/printableArticle.jhtml?articleID=224200365
Insiders Not The Real Database Threat
http://www.darkreading.com/blog/archives/2010/03/database_inside.html?print=true
Converting epoch time
perl -e 'print scalar(localtime(1226424300)), "\n"'
Wed Nov 12 01:25:00 2008
Convert from standard date/time to epoch time
perl -e 'use Time::Local; print timelocal(0,25,1,11,11,2008), "\n";'
1228929900
nessus update
The list below outlines the changes included in the 4.2.2 release:
- nessus-fetch binary:
- Proxy authentication now works on Windows
- Proxy authentication (NTLM) with a username and domain now works
- In some cases, the last nessus-fetch.rc statement might be ignored
Wednesday, April 14, 2010
Friday, April 9, 2010
Interesting password generating web page
http://code.google.com/p/hype-free/source/browse/trunk/js_password_generator.html
Friday, April 2, 2010
VMWare security appliance
http://www.hytrust.com/
Thursday, April 1, 2010
Cisco ASA/PIX firewall rule checker
http://runplaybook.com/p/11
Tuesday, March 30, 2010
Vulnerability testing process template
Sunday, March 21, 2010
Interesting take on Mac vs PC argument
If you follow Information Security at all or have been part of a PC vs. Mac discussion at any level, you’ve probably come across the timeless question of:
What’s more secure, Mac or PC?
Well, there’s an analogy from renowned security researcher Charlie Miller that elegantly captures the answer in a single sentence:
Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town.
In short, having a secure operating system and being safe are two different things. Exposure matters. So even though Windows is technically more secure, people using it are still less safe than if they were to use OS X.
Thursday, March 18, 2010
Wednesday, March 17, 2010
Tuesday, March 16, 2010
Seamless mode in virtualbox
Interesting article on makeuseof.com called
VirtualBox’s Seamless Mode: Combine Two Operating Systems Into One Desktop
Seems like an interesting way to protect a windows box from the Internet if you browsed via a version of firefox in Linux.
Interesting Nessus article
Interesting article on the benefits of using credentials when doing a Nessus scan. If only everybody read it........
Friday, March 12, 2010
Wednesday, February 24, 2010
Bootable IronKey Device
Ironkey have produced a new device that is bootable and can run a virtualised desktop.
Ironkey have joined up with BeCrypt to provide a Trusted Client.
Tuesday, February 23, 2010
PKI CPS AND CS Paper
Practice Statements paper from Entrust
www.entrust.com/resources/pdf/cps.pdf
Sunday, February 21, 2010
PCI Standards doc
https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf
https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf
Friday, February 19, 2010
PDF exploits 80% of all attacks in 2009
Highlights of report from scansafe report
45% of all Web malware encounters in 2009 were with exploits and iframes indicative of compromised websites;
Malicious PDF files comprised 56% of Web-encountered exploits in 1Q09, growing to 80% of all exploits by 4Q09; Flash exploits encountered via the Web dropped from 40% in 1Q09 to 18% in 4Q09;
Web-encountered exploits in Word and Excel comprised less than 1% of all detected exploits for the year;
Malicious image files comprised 10% of all Web malware encountered in 2009;
Thursday, February 18, 2010
Setting up subscriptions for event log forwarding
Syslog type functionality for forwarding of windows events off multiple machines to one windows box, without third party support.
http://www.windowsecurity.com/articles/Video_Setting_up_Subscriptions_Event_Log_Forwarding.html
Tuesday, February 16, 2010
Copy a virtualbox vdi file
c:\Program Files\Sun\VirtualBox\VBoxManage.exe clonevdi original_file.vdi clone_file.vdi
Sunday, February 14, 2010
VMWare directory traversal vulnerability
http://www.skullsecurity.org/blog/?p=436
perl scri[t
http://fyrmassociates.com/tools/gueststealer-v1.pl
Microsoft Exchange 2007 Audit Articles
Audit part 1
Audit part 2
Tuesday, February 9, 2010
Windows Offline Updater returns
http://grandstreamdreams.blogspot.com/2007/10/heise-offline-update-40-now-serving.html
Sunday, February 7, 2010
USB History for Windows and Linux systems
http://blog.commandlinekungfu.com/2010/01/episode-77-usb-history.html
Sans Forensic Summit in London
The 2010 European Community Digital Forensics and Incident Response Summit
- Dates:
- Pre-Summit Course Dates: April 14 - 18, 2010
- Summit Dates: April 19 - 20, 2010
- Summit Venue:
- London, UK
Thursday, February 4, 2010
Building openvpn on a vps
http://samj.net/2010/01/howto-set-up-openvpn-in-vps.html
http://forums.ramhost.org/bbs/viewtopic.php?pid=4
Installing BackTrack
http://www.infosecramblings.com/backtrack/backtrack-4-usbpersistent-changesnessus/
See also Hak5 video of today 04/02/10
Monday, January 25, 2010
Transparent proxy on dd-wrt
edit /tmp/.rc_firewall
iptables -t nat -A PREROUTING -s
iptables -t nat -A PREROUTING -s
Sunday, January 24, 2010
Tuesday, January 19, 2010
Microsoft issues "Quick Security References" Guides
http://www.microsoft.com/downloads/details.aspx?FamilyID=79042476-951f-48d0-8ebb-89f26cf8979d&displaylang=en
Wednesday, January 13, 2010
Sunday, January 10, 2010
'God' Mode in Windows 7
God Mode in Windows 7
A little trick allows to open a secret control panel in Windows 7 with lots of settings combined by categories in one convenient place.
You will get it in seconds. Just create a new folder in any place on your hard drive with any name, then rename it to:
GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}
Note the new icon appears on this folder. Now, when you open it, you get a long list of more than 280 system settings.
Secure, or not, USB drives
Client Side Input Validation is Evil
I said it before, and will say it again: All users are evil. Case in point: The recent secure USB key vulnerability.
These USB keys encrypt data stored on the USB key. Great idea! So now, if you loose the key, you no longer have to worry about your top secret image collection getting viewed by minors.
What was the flaw in the implementation? In order to unlock the device, you have to enter your password into software installed on your laptop / desktop. You would expect the software hashes or encrypts the password, sends it to the device, the device uses the hash to decrypt the files stored on the device. WRONG.
In this case, the client software validates the password by encrypting a specific block of data on the drive. Sadly, this block doesn’t change. So these researchers replaced the software with their own tool that just sends this fixed block of data back to the device (they actually just patched the existing software in memory to bypass the password check). To add insult to injury, these scheme was certified as FIPS-140-2 compliant. The FIPS-140 standard is used by the US federal government to certify encryption devices and FIPS-140-2 compliant USB sticks may be used in some government systems that prohibit regular USB devices. Many companies implement similar policies.
As a web developer, this reminded me of input validation using JavaScript on the client. It is nice for user convenience, but should never in lieu of server side input validation. Or using a simple “admin=Y” cookie to identify a user as administrator. Did I mention all users are evil and out to get you?
The original announcement about the USB issue can be found here: http://www.syss.de/fileadmin/ressources/040_veroeffentlichungen/dokumente/SySS_knackt_Kingston_USB-Stick.pdf