Ed Smiley's Blog

These are my links for March 14th through March 18th:

• Category:OWASP Vicnum Project – OWASP – A flexible web app showing vulnerabilities such as cross site scripting, sql injections, and session management issues. Helpful to IT auditors honing web security skills and setting up 'capture the flag'.
• Download details: Microsoft Deployment Toolkit 2010 – Microsoft Deployment Toolkit 2010 is the newest version of Microsoft Deployment Toolkit, a Solution Accelerator for operating system and application deployment. MDT 2010 supports deployment of Windows 7 and Windows Server 2008 R2 in addition to deployment of Windows Vista, Windows Server 2008, Windows Server 2003, and Windows XP.
• Introducing SecurityTube Questions! | Full Disclosure | Full-Disclosure – SecurityTube Questions <http://questions.securitytube.net/> is modeled after<br />
  StackOverflow and is aimed at helping hackers, infosec professionals,<br />
  enthusiasts and students solve security related problems.
• Opinion: Maybe users aren’t so funny after all – I can't stop thinking about my experience last month when I had to reload Windows XP for a friend. It makes me think we need to reconsider how we in the security world have failed the consumer. Should it really be necessary for a consumer to be a security expert to safely use a computer?
• Penetrating Intranets through Adobe Flex Applications – Gotham Digital Science –
• MANDIANT: Intelligent Information Security | State of the Hack: Silent But Deadly – The buzzword for 2010 seems to be the APT (Advanced Persistent Threat), however MANDIANT has known of this type of cyber attack for years. The recently released M-Trends report focuses on the APT and details threat intelligence learned while conducting intrusion investigations for the U.S. government, the defense industrial base, and commercial organizations.
• Security Intelligence: Attacking the Kill Chain – In this segment, we will introduce the attack progression (aka “kill chain”) and briefly descibe its intersection with indicators. The next segment will go into more detail about how to use the attack progression model for more effective analysis and defense, including a few contrived examples based on real attacks.

These are my links for February 26th through March 5th:

• Fireforce – Fireforce is a Firefox extension designed to perform brute-force attacks on GET and POST forms.
  Fireforce can use dictionaries or generate passwords based on several character types. Attacks can be performed on two separate fields using two distinct password sources.
• Windows Incident Response: Looking for “Bad Stuff”, part I – Searching for unknown issues within a Windows image is always a tough thing
• 7 Things You Need to Know About HITECH | Optimal Security: The Lumension Blog – Today, Wednesday, February 17, 2010, marks one year since the HITECH Act of 2009 passed. This means that most of the Act’s provisions are now enforceable – particularly, the breach notification and penalties aspect of the Act. While most healthcare organizations are concerned about the “meaningful use” requirement, for us in the IT security space it is the expanded PHR safeguards that are important.
• Playbook | Introducing Flint – Flint examines firewalls, quickly computes the effect of all the configuration rules, and then spots problems so you can:* CLEAN UP RUSTY CONFIGURATIONS that are crudded up with rules that can’t match traffic.
  * ERADICATE LATENT SECURITY PROBLEMS lurking in overly-permissive rules
  * SANITY CHECK CHANGES to see if new rules create problems.

  Flint is absolutely free. There’s no catch. You can download the source from our git repository. This isn’t the “play at home” version; it’s our second product, and we want to do it open source. Here you go!

• Snorby – All about simplicity. -
• Mavituna Security – Blog – WebRaider – Idea of this attack is very simple. Getting a reverse shell from an SQL Injection with one request without using an extra channel such as TFTP, FTP to upload the initial payload.
• The Omni Group – OmniDiskSweeper – OmniDiskSweeper is a utility for quickly finding and deleting big, useless files and thus making space on your hard disks.
• The Security Development Lifecycle : Casaba Releases Watcher 1.3.0 with Added SDL Integration – Hi everyone, Bryan here. We’ve written here before about Casaba Security’s Watcher tool and how it can help you verify compliance with several of the SDL web application security requirements
• Breaking Weak CAPTCHA in 26 Lines of Code | Bonsai – Information Security Blog – During one of our latest engagements we found a weak CAPTCHA implementation being used in the target Web application. The assessment was being performed on-site, and after identifying this vulnerability we started to talk with the CSO about how easy it would be to break it.

As you might be able to tell, I have a new site design.  Why, because it was time for a change and because of a slight problem with my previous host.  So here is the whole story.

Late last week I decided to try MacJournal from the MacHeist Bundle to see how it well it works for doing blog posts.  While setting it up, I kept getting an error.  After trying to go to my site, I saw that it was suspended.  Hmm, I know that my last hosting bill was due on March 1, so I figured that something was up with the payment.  I sent off an email to the hosting service, AxisHost, and received the reply back that my site was suspended for “an exploited WordPress”.  Hmm, I know that WordPress has its issues and figured maybe I missed an update.  So I inquired about what to do to un-suspend it and being a Security Professional, wanted some information on what happened.

Received a reply back basically saying back up the database, install a fresh WordPress, then restore the database.  However, as far as what happened, I was told that’ no viruses were found, but I had to rebuild’.  Again, I pressed for more details and was told there was ‘nothing further in the log’.

I guess two things bother me about this.  First, the site was taken down and no alert was made to me.  Second, if you detect a site was ‘exploited’, I don’t think it is too much to ask for some more specific details of what you detected.

Anyhow, long story short, I moved away from AxisHost over to DreamHost.  So far, so good.  Let me know what you think of the new layout…

These are my links for February 15th through February 26th:

• A Big Case of …OOPS… – Following the White Rabbit Blog - -
• Recording Information – Organizations are desperate for effective guidance on the best ways to introduce and manage Web application security within their software development life-cycle. Success comes by learning the techniques on how to quickly and efficiently fix immediate issues and implement incremental long-term changes that are neither expensive nor disruptive to the software development process. There is no better way to learn that than through a genuine case-study walk through.
• SkullSecurity » Blog Archive » VM Stealing: The Nmap way (CVE-2009-3733 exploit) – If you were at Shmoocon this past weekend, you might remember a talk on Friday, done by Justin Morehouse and Tony Flick, on VMWare Guest Stealing. If you don’t, you probably started drinking too early.
• PaulDotCom: Archives – After listening to Larry’s excellent technical segment on dumping the event logs from a large list of computers, I decided to try it out on my own
• Digital Soapbox – Down the Security Rabbithole!: Web “Hacking” Gets (even) Easier – I’m talking about “NoMore AND 1=1″. This tool comes in 2 flavors, stand-alone and attached to the OWASP WebScarab web proxy tool… and it sets the bar even lower for those wishing to poke and prod at web sites without actually being good at hacking.
• Phoenix/Tools – OWASP – Tons of Tools aggregated by OWASP
• Jeremiah Grossman: Infrastructure vs. Application Security Spending – A recent study published by 7Safe, UK Security Breach Investigations Report, analyzed 62 cybercrime breach investigation and states that in “86% of all attacks, a weakness in a web interface was exploited” (vs 14% infrastructure) and the attackers were predominately external (80%).
• WinMerge – WinMerge is an Open Source differencing and merging tool for Windows. WinMerge can compare both folders and files, presenting differences in a visual text format that is easy to understand and handle.
• Using Curl to Retrieve Malicious Websites – Here’s how to use Curl to download potentially-malicious websites, and why you may want to use this tool instead of the more-common Wget.
• So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users (PDF) – It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users’ rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little to address actual threats, and fully 100% of certificate error warnings appear to be false positives. Further, if users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses.

These are my links for January 17th through February 15th:

• Jack Mannino: Don’t Search For Your Social Security Number, Ever! – The reason this is bad should be fairly obvious, but having this information in Google’s hands and in the hands of someone with malicious intentions is slightly different. Unless you can (or want to risk) compromising Google’s systems, your search requests simply end up within their stockpile of information and hidden from the rest of the world.
• Digital Soapbox – Down the Security Rabbithole!: Further Proof You Don’t Get It – At OWASP AppSec last year I had some remarkably accurate conversations with Josh Abraham (of Metasploit, Rapid7 fame)… and I’ve gone back to those in my mind several times now over the last few months and scoured the ‘net for signs that someone is running with those thoughts and ideas.
• WAFs are not perfect, but is any security tool perfect? | xiom.com -
• Data in, Brilliance Out | Tableau Public – Within minutes you can create an interactive visualization and embed it in your website or share it. Anyone can do it, it’s that easy and it’s free.
• Testing Flash Applications | A Lazy Pen Tester’s Guide – While there are some tools and white papers available, I could not find many authoritative resources which wraps the entire spectrum of flash security testing of RIA applications. So here is an endeavor to detail out the steps of testing. I will keep this post only to outline the essential steps or points.
• Web Security: Are You Part Of The Problem? – Smashing Magazine -
• Your 5-Step Malware-Analysis Toolkit — Campus Technology – Examining the capabilities of malicious software allows your IT team to better assess the nature of a security incident, and may help prevent further infections. Here’s how to set up a controlled malware-analysis lab for free.
• Tableau Forensic Products – TSW-TIM – Introducing TIM, Tableau’s High Performance Software ImagerTIM, Tableau’s next generation forensic imaging software application, is capable of delivering astounding HDD imaging speeds. Optimized for imaging with Tableau write-blockers, TIM is an intuitive and information-rich application that was built to improve your forensic imaging productivity.
• The Yes/No PCI Assessment -

While I was visiting Oreilly’s Safari Bookshelf (aside: Great service BTW, ~$40, all you can eat books plus download 5 chapters a month to PDF files) and saw that they have support for their service on a Kindle. Quite a while back, I looked and thought if Safari works on the Kindle, then I would buy one.  So I went looking thinking that perhaps the price has dropped a bit or maybe people were off-loading them preparing for the Apple Ipad.  No such luck, Kindle 1′s seem to be hovering around $200 on Ebay and Kindle 2′s around $250 (retail price).  So now what?

I did a little bit of searching and came across this post from LifeHacker: Turn Your Netbook into Feature Rich E-book Reader.  Looks easy enough, figured I would give it a go.  I picked up an Emachines EM250 netbook right after Christmas.  Could not resist; 10 inch screen, 250GB HD, SD card, 1GB RAM (upgradable to 2gb) all for $228.  This machine is pretty much a re-branded Acer Aspire One 250.

I started with the Intel graphics program to see if it had a built in function.  Nope, nothing there.  Then I moved onto trying EEERotate.  No dice either.  Next, figuring since the netbook came with the super crippled Windows 7 Starter Edition, I figured that I needed to upgrade the version to something better.  So I went with Windows 7 Ultimate and reinstalled the system. However, still no way to rotate.  Then I went to the all telling Google for answers.  Plenty of answers, but nothing worked.  Tried some registry hacks for the Intel Drivers, downloaded Pivot Pro, MagicRotation, iRotate.  Nothing worked…

Hmm, my netbook reader perhaps was not going to come to fruition.  In one last ditched effort, I booted into my encrypted version of Backtack 4 on an SD card (Thanks to Kevin Riggins‘ great tutorial and video) to see if the screen would rotate.  Sure enough, built right in was the option to rotate and it worked flawlessly.

Since we originally bought the netbook to be something light that we could drag along on trips, I decided to go with a dual book scenario with Windows 7 and Ubuntu Netbook Remix (UNR).  Dropped back to Windows 7 Starter edition with a reinstall.  Now onto UNR.

Incredibly amazed that I could pop in the CD, boot up, get a dialog to shrink the partition, install GRUB for dual boot, and about 15 minutes later have a dual boot Win7/UNR netbook.  There was only 1 hardware issue and that was with wireless and the Broadcom 4312 chips.  Simple apt-getting and a reboot solves that:

sudo apt-get install bcmwl-kernel-source

So now I have my dual-boot e-book reader.  However, when the screen is rotated, the trackpad stays at normal orientation.  Some might think that is not a big deal.  If you are in that camp, give it a try sometime.   Now back to the great Google to see if I can rotate the trackpad.

Found a great page from Aapo Rantalainen that gives step by step instructions for patching the Synaptics driver in Ubuntu to allow for rotation of the touchpad.  Using an alias, I am able to rotate both the screen and trackpad using one command.

After using this setup for a few days, I am very happy with the entire setup.  The netbook is really the size and weight of a heavy paperback book.  So if you have a netbook and are looking for a nice Ebook reader for no additional costs, give this a shot!  The only con to this setup is no always on internet (3G or CDMA), but usually near wireless at home and work where I would read the most.

These are my links for December 26th through January 15th:

• Investigating Breaches –
• Social Engineering: The Basics – What is social engineering? What are the most common and most current tactics? And how can your organization prevent these scams? A guide on how to stop social engineering.
• Jeremiah Grossman: Top Ten Web Hacking Techniques of 2009 (Official) – Every year the Web security community produces dozens of new hacking techniques documented in white papers, blog posts, magazine articles, mailing list emails, etc. Not to be confused with individual vulnerability instances brandishing CVE numbers, nor intrusions / incidents, but actual new methods of Web attack. Some techniques target websites, others Web browsers, and the rest somewhere in between. Historically much of this research would unfortunately end up in obscure corners of the Web and become long forgotten. Now it its fourth year the Top Ten Web Hacking Techniques list provides a centralized repository for this knowledge and recognize researchers contributing to the advancement of our industry. 2009 produced ~80 new attack techniques
• Various Online Password Crackers | carnal0wnage.attackresearch.com –
• Guerilla Security Leadership – fudsec.com –
• Jack Mannino: Not Educating Your Clients? FAIL – How many of you that have brought in external consultants for some type of security engagement felt like you paid a lot of money for something you really didn't understand? Or better yet, how many of you have brought them in and felt like after they left you had less of an understanding of your environment and what your true risks were? It seems as though its becoming standard practice for a lot of groups to test for a few days (or simply run automated tools), crank out a templated report, and give a short presentation at the end of an engagement without detailed guidance for making the world a better place. Is there any value in this? Maybe, but for what you've likely paid not NEARLY enough.
• Blog :: by Wade Woolwine » Blog Archive » Thoughts on an AppSec program – The Team – Start of a multi-part series on an developing an AppSec Program
• Jeremiah Grossman: Overcoming Objections to an Application Security Program – Today a large percentage of security professionals truly “get” application security. They understand the importance, the best-practices, the value, etc. What inhibits their success the most in building an effective application security program is a lack of buy-in from the business and support from development groups. Justifying the investment remains extremely challenging and many security professionals tend to encounter the same objections.
• The Basic Laws of Human Stupidity –
• 500 Internal Server Error – 500 Internal Server Error

These are my links for November 3rd through December 16th:

• Millions of PDF invisibly embedded with your internal disk paths | SecureThoughts.com -
• Traffic Talk: Tips: SearchNetworkingChannel.com – by Richard Bejtlich
• Regular Expression Generator and Tester – I always find myself using regular expressions (a.k.a. regex) in my programming because they are often the best way to parse out bits and pieces from blocks of text. Ever since I discovered the online RegExr that has been my tool of choice, but sometimes it’s nice to have a dedicated application. Programs like RegexBuddy are awesome, but aren’t free.
• Laudanum: Injectable Functionality for Penetration Testing – Laudanum is a collection of injectable files, designed to be used in a pentest when SQL injection flaws are found and are in multiple languages for different environments.They provide functionality such as shell, DNS query, LDAP retrieval and others.
• Eight Ways to Hack Oracle – DatabaseJournal.com -
• How to Disrupt a Botnet – SANS Computer Forensics, Investigation, and Response -
• Skeptikal.org: Cross-subdomain Cookie Attacks – I did a talk at Toorcon last weekend on exploiting client-side applications’ trust in subdomains. Primarily, it formalized and demonstrated a few attacks on cookies, which implement security policies backwards by placing more trust in a subdomain of a trusted domain, rather than less, as the hierachical nature of DNS would suggest.
• Five Mistakes of Security Policy -

These are my links for September 4th through November 3rd:

• [Positive Technologies] Research Lab: Another fine method to exploit SQL Injection and bypass WAF – A method that I discovered today in MySQL documentation struck me with its simplicity and the fact that I haven’t noticed it before. Let me describe this method of bypassing WAF.
• Cyber Security Awareness Month 2009 – Summary and Links – As requested by many readers, below are links to all 31 of the diaries that we wrote for Cyber Security Awareness Month 2009. In 2007 we covered a large range of subjects based on what our readers submitted as ideas. In 2008 we took a closer look at the six steps of incident handling. This year we examined 31 different ports/services/protocols/applications and discussed some of the major security issues. Many readers submitted comments, tips, and tricks for securing them. If you have additional comments on any of these diaries feel free to add them directly to the bottom of the diary (you have to log in first) or if you want to remain anonymous you can send them to us via our contact form.
• Psychology and Security Resource Page –
• Syn: Bobs Double Penetration Adventure – Part 1 – A couple of days ago a mate at work asked about the security issues surrounding computers that are connected to the company network and also to the Internet via a wifi connection. This question was perfect fodder for a Bob story I thought. So the story goes…….
• 500 Internal Server Error – 500 Internal Server Error
• VRT: How does malware know the difference between the virtual world and the real world? –
• Grep auth log and print ip of attackers | commandlinefu.com –
• DNSpenTest – The DNSpenTest will be a suite of pentest about DNS system. In a near future you will found a set of tool like: a fake DNS server, a DNS packet forger, etc…
• Automating Nessus Scans with AutoNessus Tutorial – AutoNessus automates regular vulnerability scans with Nessus or OpenVAS and provides delta reporting. AutoNessus effectively reduces the analysis time for subsequent scans of the same infrastructure by only reporting delta findings. AutoNessus runs Nessus scans at regular intervals and compares the findings of the last scan with the findings of the previous scan. The delta of this scan is presented in a web GUI when findingscan be easily marked as either real findings or non-issues. Non issues get ignored until they change. This causes a dramatic reduction of the analysis time.
• MalTrap – MalTrap is a research utility that monitors malware behavior by intercepting API calls and logging results. MalTrap can also be used in other reversing contexts.

These are my links for August 12th through September 3rd:

• System Advancements at the Monastery » Blog Archive » Learning By Doing: Challenges, Data Sets, and Practice Sites – Security training is very important for any organization. When developing a training program, do not forget about the security staff. I am all for sending people to SANS and other company’s security courses. Once your people come back, how will they practice what they have learned? Hopefully, everyday at work does not involve tracking inventive hackers through your network. Hands-on security is the best way to develop skills and stay sharp. This is where security challenges, practice sites, and examining attack data can be fun and of great benefit. It all provides an opportunity to test one’s knowledge along with the security tools used for discovering vulnerabilities and defending your organization.
• Network Pentest Lab « Security Aegis – We used an existing set of hack challenge ISO’s, sandbox VM’s, vulnerable software, and vulnerable OS’s to create a 6 target lab that can be expanded upon.
• Pentest Labs: Web Application Edition « Security Aegis – Over the last week, we busted out our red plastic shovel and our bucket shaped like a castle to dig a little bit deeper into our sandbox. Recently, we addressed the flexibility and overall necessity of a virtual lab for network pentesting, practice, and testing.
• Dump Windows Event Logs To CSV Text Files (VBScript) – This DumpEventLog.vbs script hopefully is better or at least sucks less, it’s features are:
  Writes output to well-formed CSV text file (one line per log entry, crazy Microsoft formatting cleaned out).
• Step-By-Step: Turning a Windows 7 DVD or ISO into a Bootable VHD Virtual Machine –
• How To Disable USB Ports To Prevent Malware Infection – There are plenty of ways to disable usb ports and you don’t need any special software.
• http://www.stoned-vienna.com/ – Stoned Bootkit is a new Windows bootkit which attacks all Windows versions from XP up to 7. It is loaded before Windows starts and is memory resident up to the Windows kernel. Thus Stoned gains access to the entire system. It has exciting features like integrated file system drivers, automatic Windows pwning, plugins, boot applications and much much more. The project is partly published as open source under the European Union Public License. Like in 1987, "Your PC is now Stoned! ..again".
• Run Internet Explorer 6 (or IE7, or IE8) images in VMware Fusion on Mac OS X – Ryan Parman – Because of that, we need to go the long way. We’ll download the “officially sanctioned” VirtualPC images containing a time-limited version of Windows XP SP3 and Internet Explorer 6.0, and then we’ll convert these images to the kind that work with VMware Fusion (which works on Mac OS X). This should only need to be done every 3 or 4 months when the images expire.
• WordPress to Syslog – WPsyslog2 is a global log plugin for WordPress. It keeps track of all system events and log them to syslog. It tracks events such as new posts, new profiles, new users, failed logins, logins, logouts, etc.
• InfoSec Zen » USB Keys & Metasploit for fun and profit – This article describes a combination of techniques to achieve a USB key that operates silently & remotely so that key recovery is not required to know who inserted the key or to gather data from their system