Bookmarks for December 26th through January 15th

Published on 3 weeks, 3 days ago in del.icio.us. Comments

These are my links for December 26th through January 15th:

  • Investigating Breaches
  • Social Engineering: The Basics – What is social engineering? What are the most common and most current tactics? And how can your organization prevent these scams? A guide on how to stop social engineering.
  • Jeremiah Grossman: Top Ten Web Hacking Techniques of 2009 (Official) – Every year the Web security community produces dozens of new hacking techniques documented in white papers, blog posts, magazine articles, mailing list emails, etc. Not to be confused with individual vulnerability instances brandishing CVE numbers, nor intrusions / incidents, but actual new methods of Web attack. Some techniques target websites, others Web browsers, and the rest somewhere in between. Historically much of this research would unfortunately end up in obscure corners of the Web and become long forgotten. Now it its fourth year the Top Ten Web Hacking Techniques list provides a centralized repository for this knowledge and recognize researchers contributing to the advancement of our industry. 2009 produced ~80 new attack techniques
  • Various Online Password Crackers | carnal0wnage.attackresearch.com
  • Guerilla Security Leadership – fudsec.com
  • Jack Mannino: Not Educating Your Clients? FAIL – How many of you that have brought in external consultants for some type of security engagement felt like you paid a lot of money for something you really didn't understand? Or better yet, how many of you have brought them in and felt like after they left you had less of an understanding of your environment and what your true risks were? It seems as though its becoming standard practice for a lot of groups to test for a few days (or simply run automated tools), crank out a templated report, and give a short presentation at the end of an engagement without detailed guidance for making the world a better place. Is there any value in this? Maybe, but for what you've likely paid not NEARLY enough.
  • Blog :: by Wade Woolwine » Blog Archive » Thoughts on an AppSec program – The Team – Start of a multi-part series on an developing an AppSec Program
  • Jeremiah Grossman: Overcoming Objections to an Application Security Program – Today a large percentage of security professionals truly “get” application security. They understand the importance, the best-practices, the value, etc. What inhibits their success the most in building an effective application security program is a lack of buy-in from the business and support from development groups. Justifying the investment remains extremely challenging and many security professionals tend to encounter the same objections.
  • The Basic Laws of Human Stupidity
  • 500 Internal Server Error – 500 Internal Server Error

Bookmarks for November 3rd through December 16th

Published on 1 month, 3 weeks ago in del.icio.us. Comments

These are my links for November 3rd through December 16th:

Bookmarks for September 4th through November 3rd

Published on 3 months, 1 week ago in del.icio.us. Comments

These are my links for September 4th through November 3rd:

  • [Positive Technologies] Research Lab: Another fine method to exploit SQL Injection and bypass WAF – A method that I discovered today in MySQL documentation struck me with its simplicity and the fact that I haven’t noticed it before. Let me describe this method of bypassing WAF.
  • Cyber Security Awareness Month 2009 – Summary and Links – As requested by many readers, below are links to all 31 of the diaries that we wrote for Cyber Security Awareness Month 2009. In 2007 we covered a large range of subjects based on what our readers submitted as ideas. In 2008 we took a closer look at the six steps of incident handling. This year we examined 31 different ports/services/protocols/applications and discussed some of the major security issues. Many readers submitted comments, tips, and tricks for securing them. If you have additional comments on any of these diaries feel free to add them directly to the bottom of the diary (you have to log in first) or if you want to remain anonymous you can send them to us via our contact form.
  • Psychology and Security Resource Page
  • Syn: Bobs Double Penetration Adventure – Part 1 – A couple of days ago a mate at work asked about the security issues surrounding computers that are connected to the company network and also to the Internet via a wifi connection. This question was perfect fodder for a Bob story I thought. So the story goes…….
  • 500 Internal Server Error – 500 Internal Server Error
  • VRT: How does malware know the difference between the virtual world and the real world?
  • Grep auth log and print ip of attackers | commandlinefu.com
  • DNSpenTest – The DNSpenTest will be a suite of pentest about DNS system. In a near future you will found a set of tool like: a fake DNS server, a DNS packet forger, etc…
  • Automating Nessus Scans with AutoNessus Tutorial – AutoNessus automates regular vulnerability scans with Nessus or OpenVAS and provides delta reporting. AutoNessus effectively reduces the analysis time for subsequent scans of the same infrastructure by only reporting delta findings. AutoNessus runs Nessus scans at regular intervals and compares the findings of the last scan with the findings of the previous scan. The delta of this scan is presented in a web GUI when findingscan be easily marked as either real findings or non-issues. Non issues get ignored until they change. This causes a dramatic reduction of the analysis time.
  • MalTrap – MalTrap is a research utility that monitors malware behavior by intercepting API calls and logging results. MalTrap can also be used in other reversing contexts.

Bookmarks for August 12th through September 3rd

Published on 5 months, 1 week ago in del.icio.us. Comments

These are my links for August 12th through September 3rd:

  • System Advancements at the Monastery » Blog Archive » Learning By Doing: Challenges, Data Sets, and Practice Sites – Security training is very important for any organization. When developing a training program, do not forget about the security staff. I am all for sending people to SANS and other company’s security courses. Once your people come back, how will they practice what they have learned? Hopefully, everyday at work does not involve tracking inventive hackers through your network. Hands-on security is the best way to develop skills and stay sharp. This is where security challenges, practice sites, and examining attack data can be fun and of great benefit. It all provides an opportunity to test one’s knowledge along with the security tools used for discovering vulnerabilities and defending your organization.
  • Network Pentest Lab « Security Aegis – We used an existing set of hack challenge ISO’s, sandbox VM’s, vulnerable software, and vulnerable OS’s to create a 6 target lab that can be expanded upon.
  • Pentest Labs: Web Application Edition « Security Aegis – Over the last week, we busted out our red plastic shovel and our bucket shaped like a castle to dig a little bit deeper into our sandbox. Recently, we addressed the flexibility and overall necessity of a virtual lab for network pentesting, practice, and testing.
  • Dump Windows Event Logs To CSV Text Files (VBScript) – This DumpEventLog.vbs script hopefully is better or at least sucks less, it’s features are:
    Writes output to well-formed CSV text file (one line per log entry, crazy Microsoft formatting cleaned out).
  • Step-By-Step: Turning a Windows 7 DVD or ISO into a Bootable VHD Virtual Machine
  • How To Disable USB Ports To Prevent Malware Infection – There are plenty of ways to disable usb ports and you don’t need any special software.
  • http://www.stoned-vienna.com/ – Stoned Bootkit is a new Windows bootkit which attacks all Windows versions from XP up to 7. It is loaded before Windows starts and is memory resident up to the Windows kernel. Thus Stoned gains access to the entire system. It has exciting features like integrated file system drivers, automatic Windows pwning, plugins, boot applications and much much more. The project is partly published as open source under the European Union Public License. Like in 1987, "Your PC is now Stoned! ..again".
  • Run Internet Explorer 6 (or IE7, or IE8) images in VMware Fusion on Mac OS X – Ryan Parman – Because of that, we need to go the long way. We’ll download the “officially sanctioned” VirtualPC images containing a time-limited version of Windows XP SP3 and Internet Explorer 6.0, and then we’ll convert these images to the kind that work with VMware Fusion (which works on Mac OS X). This should only need to be done every 3 or 4 months when the images expire.
  • Wordpress to Syslog – WPsyslog2 is a global log plugin for Wordpress. It keeps track of all system events and log them to syslog. It tracks events such as new posts, new profiles, new users, failed logins, logins, logouts, etc.
  • InfoSec Zen » USB Keys & Metasploit for fun and profit – This article describes a combination of techniques to achieve a USB key that operates silently & remotely so that key recovery is not required to know who inserted the key or to gather data from their system

Would you pay for IT Freedom in the workplace?

Published on 5 months, 1 week ago in Security. Comments

I ran into this article this weekend about “Unchain the Office Computers! – Why corporate IT should let us browse any way we want.” by Farhad Manjoo.  The reaction went from Yeah right, this guy is nuts to maybe there is some merit to somewhere in between.

The article starts off talking about the somewhat hilarious answer to a State Department worker asking why they were unable to use Firefox on their work computers.  Being an IT Professional, I can understand the answer.  Every additional program installed is another one to install, patch, and support.  I am also unsure if there is a good way to block plugin installs, which could be a major issue.  So the expense of Firefox comes in other ways which might not be understandable to the enduser.

I think that the author does have some basic misconceptions of technology.  He states that he cannot forward his mail Gmail but others are allowed to forward to a Blackberry or Iphone.  What he is misunderstanding is that the problem is where the mail resides and who can have access to it.  Typically Blackberry’s and Iphone’s still keep mail on the organizations server, compared to Gmail, which who really knows where it goes, or how long it is actually kept.  The thing that amazes me if that this person seems quite alright trusting Google, but seems to have an inherent problem with his IT organization.  I guess it is because Google is that big ol’ free cloud that does everything right.

Where I do agree is that IT Professionals can be closed-minded and power hungry.  Our policy was that if a user could show business use, that we would try our best to accommodate the enduser.  (Keep in mind I work in academia!)  However, I have seen others in the same organization who would still rather run Windows 98, Eudora, and Netscape and won’t budge.  It think where the Farhad goes wrong is asking for unfettered access to their computers.

I wish he would spend one week in an IT Support person’s shoes.  While in IT support, I received request for anything from coupon printers, to WeatherBug, to even Bonzi Buddy.  What Farhad does not think about is that 6 months from now when some computers are overflowing with spyware, adware, etc., that the user will state that their computer is slow.  This is additional work for support to rectify which is easily handled with some of these rules (running with least privilege).  I guess you can put it into the category of one bad apple spoils the bunch.  I am sure that there are users that can take care of their computers just fine.  That launches right into my next point.

I stepped into a conversation on Twitter between Michael Santarcangelo (The Security Catalyst) and Ax0n discussing this article.  Michael wrote:

accountability requires pre-agreement (albeit implied)… without that and the ability to achieve, can accountability exist?

Then it came to me.  I remember from Michael’s book Into the Breach (really a book every IT Professional should read) that he talks how people will not realize their security gaffs until they are held accountable.  So I wonder this, would you accept unfettered access to your desktop in exchange for accountability?  Would you be willing to be docked pay for downtown, fined for breaches/compromises, or even fired for these offenses?  A put your money where your mouth is kinda deal.  I wonder how many people would step up.  Would you?  I have seen compromises from ad malware just from surfing to common sites such as Fox News or Yahoo.  Is having your IT freedom worth it??

I think it gets down to another point from Into the Breach, Users just want to get their work done.  Michael said it right: “We need more dialogue, which means we need to listen, learn and act…together.”

Edit: Michael brought up a great point.  Not only have negative consequenses, but have positive rewards.  Great idea!  Almost a new way of thinking.  Hold people accountable, reward them when they do well and people could actually want to learn how to be secure!

Bookmarks for June 24th through August 11th

Published on 6 months ago in del.icio.us. Comments

These are my links for June 24th through August 11th:

  • How to Build Your Own Digital Forensics Lab, Cheap
  • Pentest Labs: Web Application Edition « Security Aegis – Today, we plan to expand upon that to encompass Web App. Our setup includes 7 target sites hosted on 4 VM’s. It’s important to note, that we only showcase the tip of the iceberg. The possibility of expansion is limited only by your imagination.
  • What is PII? How About Groups Of Otherwise Non-PII? - Realtime IT Compliance – A topic that is important and interesting to think about is how non-PII items, when combined with certain other non-PII items, can actually become PII. In other words, aggregating non-PII to form PII. In case that sounds fuzzy, think about it, very simplistically, this way..
  • HowTos/OS Protection – CentOS Wiki – Locking down CentOS
  • Technitium MAC Address Changer v5 Release 3 (FREEWARE) – Technitium MAC Address Changer allows you to change Media Access Control (MAC) Address of your Network Interface Card (NIC) irrespective to your NIC manufacturer or its driver. It has a very simple user interface and provides ample information regarding each NIC in the machine. Every NIC has a MAC address hard coded in its circuit by the manufacturer. This hard coded MAC address is used by windows drivers to access Ethernet Network (LAN). This tool can set a new MAC address to your NIC, bypassing the original hard coded MAC address. Technitium MAC Address Changer is a must tool in every security professionals tool box. Technitium MAC Address Changer is coded in Visual Basic 6.0.
  • Watcher: Web security testing tool with OWASP and PCI compliance auditing – Home – Watcher is a runtime passive-analysis tool for HTTP-based Web applications. It detects Web-application security issues as well as operational configuration issues. Watcher provides pen-testers hot-spot detection for vulnerabilities, developers quick sanity checks, and auditors PCI compliance auditing. It looks for issues related to mashups, user-controlled payloads (potential XSS), cookies, comments, HTTP headers, SSL, Flash, Silverlight, referrer leaks, information disclosure, Unicode, and more.
  • Roothack.org
  • User Account Control: Inside Windows 7 User Account Control
  • http://www.infsec.cs.uni-sb.de/projects/printer-acoustic/#Scientific_Publication – We have successfully mounted the attack in-field in a doctor's practice and recovered the content of a medical prescription. (For privacy reasons, we asked for permission upfront and let the secretary print fresh prescriptions of an artificial client.) The attack was conducted under realistic – and arguably even pessimistic – circumstances: during rush hour, with many people chatting in the waiting room.
  • Penetration Testing and Vulnerability Analysis – Home – This is the course website for Penetration Testing and Vulnerability Analysis currently taught at the Polytechnic Institute of New York University. The course aims to introduce techniques and skills for identifying, analyzing, and exploiting software vulnerabilities.

Bookmarks for June 5th through June 22nd

Published on 7 months, 3 weeks ago in del.icio.us. Comments

These are my links for June 5th through June 22nd:

  • Security Onion – The Security Onion LiveCD is a bootable CD that contains software used for installing, configuring, and testing Intrusion Detection Systems.
  • YouTube – Episode 4: Visualization of Crime – In the fourth episode of Team Cymru's 'The Who and Why Show', Marcel van den Berg takes us through a few animations charting our unique global insight into the Underground Economy.
  • Social Engineering: 5 Security Holes at the Office (Includes Video) – CSO Online – Security and Risk – We poked around a secure building with social engineering expert Chris Nickerson and found several ways a criminal could get inside and access sensitive data
  • Pretty-Bad-Proxy: An Overlooked Adversary in Browsers’ HTTPS Deployments – Microsoft Research – HTTPS is designed to provide secure web communications over insecure networks. The protocol itself has been rigorously designed and evaluated by assuming the network as an adversary. This paper is motivated by our curiosity about whether such an adversary has been carefully examined when HTTPS is integrated into the browser/web systems. We focus on a specific adversary named “Pretty-Bad-Proxy” (PBP). PBP is a malicious proxy targeting browsers’ rendering modules above the HTTP/HTTPS layer. It attempts to break the end-to-end security guarantees of HTTPS without breaking any cryptographic scheme. We discovered a set of vulnerabilities exploitable by a PBP: in many realistic network environments where attackers can sniff the browser traffic, they can steal sensitive data from an HTTPS server, fake an HTTPS page and impersonate an authenticated user to access an HTTPS server. These vulnerabilities reflect the neglects in the design of modern browsers – they affect all major browsers…
  • SandCat | PenTestIT – SandCat has two versions – free & pro. Both these versions are programmed with the Open Web Application Security Project (OWASP) and the SANS Institute vulnerabilities in mind. You can also scan for the latest buzz word in the security market: WebDav with this tool. Basically, SandCat is a remote web application security assessment scanner. You can scan for almost all web application flaws. Sandcat remotely injects data in the web applications and analyzes the application response. This helps it to determine if the application code is vulnerable to specific attacks such as SQL Injection, XSS, and many other web application vulnerability flaws.
  • Greg Miller’s Guide to Lock Picking for Beginners
  • The Ultimate Lock Picker Hacks Pentagon, Beats Corporate Security for Fun and Profit – Tobias is laughing. And laughing. The effect is disconcerting. It's a bwa-ha-ha kind of evil mastermind laugh—appropriate if you've just sacked Constantinople, checkmated Deep Blue, or handed Superman a Dixie cup of kryptonite Kool-Aid, but downright scary in a midtown Manhattan restaurant during the early-bird special.
  • Security Musings » Blog Archive » How does SSL work anyway? – We talk a lot about how SSL is useful, but how exactly does it work? Most systems today use SSL v3/TLS v1 rather than “SSL”, and the nitty gritty details are found in RFC 2246.
  • MIR-ROR – Home – MIR-ROR: Motile Incident Response – Respond Objectively, Remediate MIR-ROR is a security incident response specialized, command-line script that calls specific Windows Sysinternals tools, as well as some other useful tools, to provide live capture data for investigation.

    You can easily enhance MIR-ROR to your liking with whatever command line tools you find useful.
    For incident response resource, we’ve found it indispensable.
    Windows Systinternals licensing prevents us from bundling the tools in a distribution package; you’ll have to retrieve them.

  • Nine out of ten work PCs fail on basic security | Graham Cluley’s blog – Ninety percent of corporate PCs are a security risk because they are not fully patched, or do not have basic security such as anti-virus software and firewalls properly installed.

Bookmarks for May 15th through June 3rd

Published on 8 months, 1 week ago in del.icio.us. Comments

These are my links for May 15th through June 3rd:

  • 10 Essential Firefox Plugins for the Infosec Professional | dmiessler.com
  • Free: USAF-Hardened Windows Build (…well kinda…)
  • r00tkit Analysis: What Is A Rootkit
  • The CFReDS Project – NIST is developing Computer Forensic Reference Data Sets (CFReDS) for digital evidence. These reference data sets (CFReDS) provide to an investigator documented sets of simulated digital evidence for examination. Since CFReDS would have documented contents, such as target search strings seeded in known locations of CFReDS, investigators could compare the results of searches for the target strings with the known placement of the strings. Investigators could use CFReDS in several ways including validating the software tools used in their investigations, equipment check out, training investigators, and proficiency testing of investigators as part of laboratory accreditation. The CFReDS site is a repository of images. Some images are produced by NIST, often from the CFTT (tool testing) project, and some are contributed by other organizations. National Institute of Justice funded this work in part through an interagency agreement with the NIST Office of Law Enforcement Standards.
  • Test the strength of your password policy | Security Central – InfoWorld – Roger Grimes presents a useful tool for figuring out how susceptible your network might be to a password-cracking attack
  • Registry Structure – This web page contains the full report of this MSc project complete with the source code to all the programs and utilities that were produced. It is reproduced and made available here in support of the Computer Forensic community in particular and of knowledge in general.
  • DIY CISS Degree: 100 Open Courses on Computer Information Systems and Security | Computer Colleges – Whether you’ve been accepted to a degree program and want to work ahead, already have a degree and want to learn more or just want to delve into the world of computer and information systems, you’ll find plenty to keep you busy through a variety of open courseware offerings. From courses that teach the basics of computer science to those that delve into specialty areas, you’re sure to find something that will help you learn more and gain confidence in the field.
  • :: Bonsai Information Security – moth :: – Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for:

    1. Testing Web Application Security Scanners
    2. Testing Static Code Analysis tools (SCA)
    3. Giving an introductory course to Web Application Security

  • 8 Tools to Find Someone Online – Stepcase Lifehack – Finding a way to contact someone has gotten a lot easier: just type their name into Google and follow a few links. For many people, you’ll quickly find a profile on Facebook, a blog or even an email address you can use to get in touch. But a Google search doesn’t turn up good results for everyone. Maybe the person you’re trying to reach has a fairly common name. You may need a tool a little better than a simple Google search to find him.
  • SANS Institute – Network, Security, Computer, Audit Information & Training – Interested and want to learn more? Try one of the four free SANS mini courses. These mini courses are designed to take 20-30 minutes to complete. They will introduce you to this learning environment and teach you something that you can apply immediately to make your network more secure. Simply click on the free mini course below that interests you.

Bookmarks for May 1st through May 14th

Published on 9 months ago in del.icio.us. Comments

These are my links for May 1st through May 14th:

Windows 7 and XP Mode (XPM)

Published on 9 months, 1 week ago in Security and Windows. Comments Tags: , , , , .

An interesting thought came to mind while reading the Windows Incident Response blog yesterday. A link provided by Claus brings up an interesting concept, XPM.  Windows XP Mode (XPM) is a “Virtual PC-based virtual environment and a fully licensed copy of Windows XP with Service Pack 3 (SP3). It will be made available, for free, to users of Windows 7 Professional, Enterprise, and Ultimate editions via a download from the Microsoft web site.”  Sound cool, but what happens with the security patches that come out after SP3?  With so many people who don’t bother to patch their systems, would this just create a bigger problem with 2 possibly unpatched operating systems available as a target to exploit?  There seems to be some kinks that need to be worked out on the security end as I have not heard any talk of how this will be patched and what will happen once XP is no longer supported.  I will be curious to see how this pans out in the near future.

EDIT: Some more interesting news has been coming out about XPM (via Slashdot):

Microsoft, Intel goof up Windows 7’s “XP Mode”

Windows 7’s ‘XP mode’: Right idea, wrong technology

Windows 7’s ‘XP Mode’: A Great Idea, on Paper