pck | Weblog

Evolution

2011-12-12T05:43:00.008+02:00

Quote

2011-11-28T20:03:00.002+02:00

Hackito Ergo Sum - j@nus

critical-infosec-cnrtl-list

2011-11-06T10:34:00.000+02:00

Social Media Assessment

2011-11-04T19:21:00.002+02:00

The use of social media sites is rampant. Assessing your databases and social networks (Facebook, Twitter, LinkedIn, blogs, etc.) detects what is being disseminated on the Internet about the organization – including all of the information that the organization, employees, ex-employees, and the public are putting out there.

In addition, assessing any confidentiality agreements and social media policies in place will detect holes in the organization's social media protocol. This will allow the integration of effective social media policies into the organization’s overall IT program.The large number of existing social media channels through which information is disseminated is suprizong.

A thorough Social Media Assessment should look at roughly 30-40 of them, including both the well-known sites and some obscure ones such as Hi5, Tagged, Friendster, Bebo, Orkut, Yammer, and Yelp. In addition, a good Social Media Assessment looks at message boards, online forums, and blogs/micro-blogs like Google Blogger and Tumblr to provide a more complete picture of your organization’s social media posture

Escaping

2011-11-03T17:30:00.000+02:00

Vim 20th anniversary

2011-11-02T08:04:00.002+02:00

The Vim text editor was first released to the public on November 2, 1991 - exactly 20 years ago today, by Bram Moolenaar. Although it was originally designed as a vi clone for the Amiga, it was soon ported to other platforms and eventually grew to become the most popular vi-compatible text editor. It is still actively developed and widely used across several operating systems

My Birthday

2011-10-31T08:53:00.002+02:00

Today is the 18th celebration of my 18th birthday - pck

Host Interrogation Assessment

2011-10-30T23:41:00.002+02:00

The purpose of a Host Interrogation is to identify potential misconfigurations or information security flaws on DMZ-based servers. It provides the insider’s view of servers in much the same way a Firewall Ruleset Review does, which then can be matched up to get more value out of the organization's Penetration Tests.

The Host Interrogation process reviews hardening techniques and best practices in order to establish a baseline, which improves the overall state of security in the DMZ systems. A good Host Interrogation combines the latest in automated assessment tools as well as a manual review of the overall configurations associated with the DMZ devices.

DOS pillow

2011-10-30T09:25:00.000+02:00

Problem: Cannot help sleeping on the PC monitor.

Solution: Dosugus pillow looks like a black screen and has good old DOS directories embroidered on it.

Saturday Night Drink

2011-10-29T21:54:00.000+03:00

Ready for another "bloody" night out with zombie cocktails.

Ingredients

1 oz Light rum
1/2 oz Creme de almond
1 1/2 oz Sweet and sour mix
1/2 oz Triple sec
1 1/2 oz Orange juice
1/2 oz Rum - 151-proof
1 Cherry - optional

Method
Shake all ingredients (except 151-proof rum) with ice and strain into a collins glass over ice cubes.

Float the 151-proof rum on top, add a cherry (if desired), and serve.

IS Control 20 - Security Skills Assessment and Training to fill Gaps

2011-10-28T22:59:00.010+03:00

There's two parts to this control - one focuses on users, the other on information security and IT staff.

Keeping users abreast of current threats and how to steer clear of these dangers is definitely important. But in today's compliance-driven corporate world, the average staff member already has to sit through many trainings and e-learnings on topics ranging from corporate records management to HR policies to anti bid-rigging rules, etc. Hence, the first hurdle that every security training has to overcome is to actually get the initial attention of the audience.

In that sense, as in all marketing endeavors, packaging is everything. Once the users' initial attention is granted, the easiest way to keep them interested is by using real life examples from the own organization. Even if the audience happens to be already aware of a certain attack or threat, and would otherwise be bored, they will always be interested in what really happened.

Users usually come with with three levels of security clue:

Those who just don't know better
Those who do know better, but take shortcuts, don't care, or have an "it won't happen to me" attitude
Those who do know better, and stick to being careful

For Group 1, training should be patient and repeated.
For Group 2, a gory example out of one or two trespassers should be given. The others will catch on. If such an example is not feasible, treatment like group 1 is suggested.
For group 3, recognition for spotting and reporting on every risk should be granted and empowerment to act as coaches for Group 1 staff in their team should be provided.

For training of information security and IT staff, one should assess where the gaps are and how to most effectively fill them.

IS Control 19 - Data Recovery Capability

2011-10-27T22:48:00.001+03:00

Successful data recovery is as much a part of reliability as it is information security, so embrace the process as paramount to successful response. Whether it is a significant outage from operational data loss or that moment that leaves as all shuddering and queasy (attackers have tweaked our data and it is no longer reliable) the organization should be assured that it has the ability to recover.

This control does mention testing restorations from backups twice, once in the measurements section and once in the procedures and tools section, but it is common ground that every possible measurement and procedure should be tested quarterly at a minimum.

Much as one might with incident response, drilling the recovery/restoration process is critical. And not tabletop exercises; real data to real systems in real scenarios that mimic the organization's production environment. Clearly testing the process directly in production may be difficult but a staging (or dev/test) environment is ideal for this testing.

As the control mentions, one has to factor for operating system, application software, and data recovery. Yet each of these three is influenced by full, differential, and incremental methodology, depending on need, scheduling, and planning as well as the retention period.

IS Control 18 - Incident Response Capabilities

2011-10-26T23:26:00.009+03:00

If risk is not measured it can't be managed. If a formal process for capturing and responding to incidents is not in place the organization will not be aware of them occurring. No matter the size, internal incident response capabilities should be in place. As said, a failure to plan is a plan for failure.

Here are some tips for ensuring the success of an organization's incident response capabilities:

The incident handling procedures should be formalized. If they are, then it is easier to explain to the business why everything is done in the heat of battle.
Roles and responsibilities of people on incident response team should be documented. This will often include representatives from Legal, Human Resources, Public Relations, Compliance, the Executive Sponsor and the usual suspect in the networking and information technology engineering groups along with the information security team.
Management support is critical to the success of most business initiatives. It is especially important when dealing with potentially politically explosive issues that are often associated with security incidents. Maintaining excellent and frequent communications with Executive Management is critical to the success of the plan.
All incident responders should be required to report in within a predefined amount of time once an incident has been declared.
Periodic test should be conducted to make sure everyone can be reached in a timely manner. Once the team is assembled, training exercises with various scenarios that test the teams ability to access and identify evidence on various systems throughout the networks they are responsible for protecting should be conducted.

IS Control 17 - Penetration Tests and Red Team Exercises

2011-10-25T21:57:00.001+03:00

A few thoughts in support of this control (PT & RT):

Upon initialization of this activity, a formalization with management (in writing) to include vision, mission statement, and statements of work (SOW) in order to set clear expectations is nesecary. Reporting and presenting results is crucial. PT and RT activity is only as good as the dissemination of results and the subsequent remediation.
A formalized process inclusive of best practices and documentation also supports PT & RT on behalf of compliance requirements.Such requirements are a great defender of a PT & RT program.
A great resource and good starting point: Open Source Security Testing Methodology Manual 3.0.
A well-devised, concerted offensive engagement against the target enterprise is also an ideal opportunity for the defenders to validate their monitoring and hardening practices.
While it’s nice to have resident expertise, it’s hard to imagine that every organization has the resources to dedicate personnel exclusively to PT & RT, much as may be the case with dedicated IR resources. Often these duties fall on network engineers and systems administrators with a penchant for security.
The social engineering (SE) aspect of PT & RT activity inevitably includes an organizational political component one should be sensitive to. People fall for SE tactics all the time and there is always shame associated with it. Making enemies will not help PT & RT cause.
Virtual environments, while not ideal, make for an inexpensive test bed for PR & RT activity.

IS Control 16 - Secure Network Engineering

2011-10-24T22:45:00.013+03:00

Secure Network Engineering is a process that relies on qualified humans designing and maintaining a network with security in mind.

Many issues we discussed in previous Controls are easier if the network was designed securely. For example Control 15 works best if egress points in your network are clearly defined and regulated. A good network design will also make it easier to block access to devices if they are found to be infected with malware, and it will make it harder for malware to spread internally.

Another issue has to do with the application of secure network engineering to an existing network. A network is supposed to be "re-designed" on the fly without interrupting current operations. Usually that this is just not possible without immense costs, and in some cases, it may be simpler and cheaper to build a new network from scratch.

There are some possibilities to automatically monitor at least part of this process. For example, if we receive an alert about a new server or a change to the network configuration, we may be able to automatically compare this to a change control system to ensure that the change was properly approved and went through a process reviewing out network design.

In short: we have to make sure the actual network matched the network design and not allow the actual network to deviate from the secure design.

Hacking History - Part Five

2011-10-23T17:17:00.000+03:00

Crypto Quiz

2011-10-22T19:44:00.000+03:00

Yet another chipher text puzzle.

UBrwqhlfkw hjk qibwk qicedw zbg wkk mike zbg qhsk zbgj kzkw buu zbgj dbhfw

IS Control 15 - Data Loss Prevention

2011-10-21T21:44:00.017+03:00

Information is a precious commodity. Many institutions regardless of its size have information of interest to many people and those people are willing to pay large sums of money for it or even make major criminal acts to get it.

Access to information in an unauthorized manner can be obtained in many ways. There are attackers at all times seek to exploit the vulnerabilities of information assets, but there are also users that, once they have been authorized to access a specific information asset, may have unrestricted access to the information and carry out actions such as copy and steal through removable storage media, email, dropbox, among others.

This means it is necessary to place a type of controls that allow the user that has been authorized to access the information to manipulate it in the terms allowed by the information asset classification. This is known as Data Loss Prevention (DLP). We can use the classic criteria to classify information: Confidentiality, Integrity and Availability, and can also add other important as Traceability and Non-repudiation. Traceability is the property of information that helps determine the operations performed on it at all times and Non-repudiation is the feature that ensures that a transaction has been for the person whose user ID made and no other. Depending of the classification on each variable, the operations allowed to the information asset can be defined as read only, e-mail transmission, shared resource copy, among many others.

Data Loss Prevention (DLP) Software allows monitoring of the following:

Data in motion: When a network security perimeter is in place, just before traffic reaches the firewall the DLP device should be placed to monitor incoming and outgoing traffic and then realize which users are violating information security rules by performing unauthorized transmission of information assets.
Data at rest: Information Assets are stored into servers located inside datacenters. DLP software can be installed into servers to learn about sensitive information stored in unsecure locations as open windows shares and unencrypted storage devices.
Data in use: DLP software can be installed in endpoint devices to control the transmission of information assets like instant messaging, desktop e-mail clients and web transmissions.

DLP implementations are very challenging because of information identification. If information is not correctly identified, false positives arises and can be very painful as they can stop the information flow inside the whole company. That is why several accuracy tests should be performed with the information asset classification and solve problems before deploying.

Please keep in mind that business needs are first and needs to be satisfied. One cannot implement controls that will make the company operation slow and painful.

IS Control 14 - Wireless Device Control

2011-10-20T21:43:00.053+03:00

Mobility is one of the biggest challenges for information security professionals. In our offices many customers use wireless technology and not only laptops, but phones, tablets and other devices for corporate use. The challenge is to provide access to the company's wireless network to devices that staff members and third people have in a secure way.

In order to cater for the aforementioned need, we have to select a proper authentication and cypher mechanism for the wireless network. Known authentication schemes are:

PreShared Key (PSK): This is known as the standard "personal network" authentication scheme. The client must supply the PSK to gain association and connectivity to the wireless network.
Certificates | Username/password: This is known as the "Enterprise" authentication scheme. The client must supply valid credentials to log-in, including but not limited to username and password and certificates. RADIUS is mandatory for this type of authentication and it must include the appropiate dictionary to interact smoothly with the network equipment you have in your company. 802.1X is the best option you can use to enforce secure authentication to the wireless network.

In order to determine which level of security to implement in the authentication level, there is a wide range of authentication protocols within the Extensible Authentication Protocol standard to choose from like:

Lightweight Extensible Authentication Protocol (LEAP): This is a proprietary Cisco protocol which sends the authentication information using MS-CHAP, which makes it vulnerable to password cracking attacks.
Protected Extensible Authentication Protocol (PEAP): This is a protocol that encapsulates the authentication information (Username and password) in a TLS tunnel so it travels secure to the authentication server. It is an interesting alternative with a reasonable degree of complexity for implementation, because it is not necessary to deploy certificates on all clients that connect to the network, which easily allows mobile devices like phones and tablets connect to the network without major trouble.
EAP-Transport Layer Security (EAP-TLS): This is a protocol that provides great authentication security to the wireless network, because apart from the username and password it requires that each client has a valid certificate issued in the certification authority's domain. One of the cons it has is the difficulty of implementation in mobile devices, since not all operating system versions support it and in some cases require additional software to work. This protocol is vulnerable to man-in-the-middle attacks.
EAP-Tunneled Transport Layer Security (EAP-TTLS): The difference with the previous protocol is the way that clients can authenticate, because is discretionary for the client device to present a valid certificate from the domain certificate authority. In this case, the server is the one that authenticates to the client with a valid certificate within the domain certificate authority. Once the secure tunnel is established, the client authenticates sending the username and password. This protects the information against eavesdropping and man-in-the-middle attacks. Many operating systems would need as well additional software to sucessfully authenticate to the wireless networks using this protocol.

In order protect the WLAN traffic against eavesdropping, the following protection mechanisms should be used:

Wired Equivalent Privacy (WEP): It's a weak security algorithm that uses the RC4 stream cipher for confidentiality and the CRC32 checksum for integrity. The vulnerability of this protocol lies in the stream cipher algorithm used, as the same key for encryption of traffic can not be used more than once. Because in practice there is no such scheme implemented for this protocol that allows different keys for each packet, an attacker can get the encryption key for the network by monitoring wireless network packets. There are several documented attacks about this protocol and many tools as aircrack-ng and kismet that implements them. This protection mechanism is deprecated and should not ever be used in production environments where unauthorized access is critical.
Wi-Fi Protected Access (WPA): This protocol is part of the IEEE 802.11i standard. The encryption key problem is solved by using Temporal Key Integrity Protocol (TKIP) generating 128-bit key per packet transmitted on the network. This protocol was deprecated by IEEE in January 2009.
Wi-Fi Protected Access 2 (WPA2): This protocol is also part of the IEEE 802.11i standard. As Temporal Key Integrity Protocol (TKIP) is insecure, WPA2 replaces it with Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). It combines the Counter-Mode block cipher mode (CTR) for data confidentiality and Cipher Block Chaining Message Authentication Code (CBC-MAC).

The selection of combination of authentication and encryption scheme should be based on the level of risk to which an organization is exposed. For most of the cases, though, Enteprise PEAP authentication with WPA2 is a good selection since it is not difficult to implement and provide a good level of security with a broad level of interoperability for devices that need to connect to the network. For environments that require top level of security, the selection should be enterprise authentication with EAP-TLS/EAP-TTLS with WPA2.

IS Control 13 - Limitation and Control of Network Ports, Protocols, and Services

2011-10-19T23:42:00.002+03:00

Observing never ending port scans against our systems is a never-ending story. The goal of a port scan is to find vulnerable services. Later, the attacker will use this recognizance to exploit these services.

In order to protect ourselves, two basic measures need to be taken:

Limit listening services. As part of standard configuration, all unneeded services should be turn off . A service that is not running can not be attacked. Of course, a need to monitor any changes to this standard configuration is apparent. The control of listening services should not stop at controlling services commonly installed on the particular host, but the control should include rogue services as well. Here are a few ideas to review listening services on hosts:

review the output of "netstat" regularly. Netstat will show any listening services. Of course, in the case of rogue services, an attacker may use root kits to mask these services from tools like netstat.

review ephemeral port usage. If a port is used by a listening service, it can not be used as an ephemeral portal for outbound connections. You will see a "gap" if you plot all used ephemeral ports on a system.

regular port scans. Periodically scan of systems for listening ports. However, be aware that an attack may have masked the use of the port and will only respond to requests from a particular source

Network monitoring: Tools like "pads" are able to detect new services on a network passively. This may enable you to detect hidden services as soon as the attacker connects to them.

Applying firewall rules. Back in 2000, firewalls were a lot less common then they are today. Today, systems arrive with host based firewalls. Many times, the firewall is already enabled to block all inbound traffic by default. In addition to host based firewalls, a well designed network should include network firewalls and take advantage of capabilities in devices like switches to further limit network traffic.

IS Control 12 - Malware Defense

2011-10-18T22:40:00.004+03:00

This control offers nine prospects for success in the battle against a continuous and pervasive challenge.

Organizations should employ automated tools to continuously monitor workstations, servers, and mobile devices for active, up-to-date anti-malware protection with anti-virus, anti-spyware, personal firewalls, and host-based IPS functionality. All malware detection events should be sent to enterprise anti-malware administration tools and event log servers.
Organizations should employ anti-malware software and signature auto update features or have administrators manually push updates to all machines on a daily basis. After applying an update, automated systems should verify that each system has received its signature update.
Organizations should configure laptops, workstations, and servers so that they will not auto-run content from USB tokens (i.e., "thumb drives"), USB hard drives, CDs/DVDs, Firewire devices, external serial advanced technology attachment devices, mounted network shares, or other removable media.
Organizations should configure systems so that they conduct an automated anti-malware scan of removable media when it is inserted.
All attachments entering the organization's e-mail gateway should be scanned and blocked if they contain malicious code or file types unneeded for the organization's business. This scanning should be done before the e-mail is placed in the user's inbox. This includes email content filtering and web content filtering.
Automated monitoring tools should use behavior-based anomaly detection to complement and enhance traditional signature-based detection.
Organizations should deploy network access control tools to verify security configuration and patch-level compliance before granting access to a network.
Continuous monitoring should be performed on outbound traffic. Any large transfers of data or unauthorized encrypted traffic should be flagged and, if validated as malicious, the computer should be moved to an isolated VLAN.
Organizations should implement an incident response process that allows their IT support team to supply their security team with samples of malware running undetected on corporate systems. Samples should be provided to the anti-virus vendor for "out-of-band" signature creation and deployed to the enterprise by system administrators.

IS Control 11 - Account Monitoring and Control

2011-10-17T21:39:00.021+03:00

Both Account Monitoring and Account Control are things that many organizations do not take seriously, and come up over and over (and over) again in security assessments.

Things that get often missed or overlooked:

Too many Administrative Accounts. All to often, we see everyone in the IT group has "Administrator" equivalent rights in production information assets.
Using the Administrator or Root Account directly. To add to the first point, everyone who needs admin rights should have a named account that has those rights. If people use the administrator accounts directly, then there is no way of ever finding out "who did what" in the event that you need that information.
Using an Admin level account for day-to-day tasks.
Work with HR for account creation and deletion. In all too many cases we see dozens of accounts (sometimes hundreds) that haven't been used in months, only to find that people have left the organization and the IT group wasn't told. Even if their account data needs to be kept around, a "data transition procedure" should be in place to move data to the person who needs it next after someone leaves.
Use of Shared accounts. Too many times we see clerical accounts that are shared between dozens of people in a group. Without named accounts, it would be impossible to figure out who is making errors or demonstrates malicious behavior. Shared email accounts can create similar problems with accountability.
Password Complexity is a must-have. While we can have a flame-fest about if complex passwords or passphrases are better (I'd lean towards passphrases, but it's not workable in every environment), we simply can't have people use "password", or their kid's names anymore for access - it's simply too easy to crack.
Account Lockout is a must have. If someone is trying to brute-force your CEO's webmail account, yes, we do want the account locked until we can speak with them. Better they lose access for an evening, as opposed to having their account compromised and confidential information be disclosed.

If the aforementioned issues are not covered in an Information Security Policy, it is the right time to draft one that covers all of these issues, as well as enforcement of periodic changes. In addition, try and implement one-way encryption into the password policy. Passwords should never be stored in plain text, this way users may immediately have deniability for anything that happens.

A Decade of Data Breaches

2011-10-16T11:58:00.001+03:00

Quote

2011-10-15T11:50:00.000+03:00

The unexamined life is not worth living - Socrates

IS Control 10 - Continuous Vulnerability Assessment and Remediation

2011-10-14T16:38:00.008+03:00

This control is an important mechanism to detect known vulnerabilities, if possible patch them or use additional host or network controls to prevent exploitation until a patch or update is released. Preferably, the assessment tools should categorized the discovered vulnerabilities using industry recognized standards such as CVE to correlate and classify the data obtained with other network devices, to detect attempts or successful exploitation of the vulnerability.

There are a large number of vulnerability management tools available on the market (free and commercial) which can be used to evaluate system configuration on a continuous basis. A first step would be to run a daily discovery scan against network devices and run a full audit of the systems with credentials on a weekly basis, taking into consideration the impact on the network (i.e. when the network devices are the least busy). This would ensure that new found vulnerabilities are taken care of in a timely manner soon after they have been discovered. Whenever possible, it is important the patch be tested in an environment that mimics the production system before being pushed enterprise wide. If the patch fails the tests, other mitigating controls should be tested and put in place to prevent exploitation.

In order to put in place an effective continuous vulnerability assessment plan, the enterprise scanner should be able to compare the results against a baseline and alert the security team when significant changes are detected.

All system identified in Control 1 should be scanned for known vulnerabilities and should alert the security team upon the discovery of new devices. To ensure this control is effective, the security team must conduct a periodic review that the daily and weekly assessments are working as configured and have completed successfully.

There are many more audit tools out there than those posted below:

Commercial Audit Tools

Freeware Audit Tools

IS Control 09 - Controlled Access Based on the Need to Know

2011-10-13T23:37:00.002+03:00

Whenever we are talking security, and assigning access control lists, the principle of least privileges comes up. Our firewalls should block all ports, but the once we need to do business. The same is true for file access control lists (ACLs). We should only allow read, or write, access to files as needed.

The principle of least privileges is very fundamental to information security, and closely related to the idea of "the need to know". This term tends to be used more in government and military contexts, but it is very valid in commercial networks as well.

For example, in order to obtain certain information, a user needs a certain "clearance" (usually a position in the company) and a need to know the information. Fine grained access controls like this are critically linked to the correct classification and labeling of information. As a start, one should probably first define different roles in the organization, and figure out what each role needs to know to get their work done. Later, the roles may be refined and access control may be further restricted. The same is true for information labels. Initially, one may break data down in rough categories and as the system is refined, coming up with closer categories might be required.

However a balance should be maintained. Nothing is more frustrating then security getting in the way of normal business processes and this is probably the fastest way to loose steam for such an initiative. This control should be considered a control for a more mature organization that already covered most other controls. This should be initiated slowly, and implementation of detective controls should be considered first before implementing enforcement. Instead of focusing on enforcing access controls, an organization may deploy log analysis to monitor users who accessed more files then others, or accessed curtain sensitive information.

IS Control 08 - Controlled Use of Administrative Privileges

2011-10-12T22:36:00.001+03:00

This control points out the need to to place tight controls around the use of Admin or any Powerful Privileges on all of your information assets. Essentially, what this means is Admin access (root/Administrator accounts) should be tightly controlled and monitored for use and abuse.

By implementing the following controls, we manage to lessen the opportunity for the abuse of privilege and provide accountability to the user that executes the administrator tasks.

Restrict the use of root/administrator password to the minimum, replacing it with personal accounts with sufficient rights for everyday administrator tasks. Limit access to the operational staff to an “as needed” basis. When crisis/incident/support needs arise, provide a mechanism for them to “check out” or “look up” the root password
Automate the changing of the root/administrator password on a regular basis.

IS Control 07 - Application Software Security

2011-10-11T21:57:00.004+03:00

The control describes WAF (Web Application Firewall) use, input validation, testing, backend data system hardening, and other well-defined practices. The control states:

Organizations should verify that security considerations are taken into account throughout the requirements, design, implementation, testing, and other phases of the software development life cycle of all applications.

It can be argued that, as a canonical principle, strong SDL/SDLC practices woven into the entire development and deployment process leads to reduction of attack vectors. Reduce said vectors and mitigation provided by enhanced controls become less of a primary dependency. Long story short, moving SDL/SDLC practices to the front of the line, while not a “quick win,” can be a big win. That’s not to say that SDL/SDLC replace or supplants controls, but a reduction in risk throughout the development process puts the onus on secure code where controls become an additional layer of defense rather than the only layer of defense.

In addition, testing "in-house-developed" and "third-party-procured" web applications for common security weaknesses using automated remote web application scanners and static source code analyses should be used.

IS Control 06 - Security Audit Logs Management

2011-10-10T23:35:00.002+03:00

One of the keys for this control is that all of the log generating devices (routers, switches, firewalls, servers, workstations, e.t.c) be synchronized, so NTP is our friend.

Another key is to collect the logs somewhere other than the device that generates them, our "central log server." This server should be one of your most locked down, best protected servers in the enterprise. This way, even if the bad guys breach one of the servers and are able to modify the logs on the server to hide their tracks, there will still be the unmodified copy of the logs on the log server.

All of this does no good if we aren't actually looking at the logs and this is where some software to automate things and/or an experienced analyst is needed. The software is going to be necessary because sheer volume can quickly be generated. This doesn't necessarily mean that one needs to spend a lot of money though. While the commercial SIEM packages are good, a lot can be accomplished a lot with a free software like awk and grep. In 1997, Marcus Ranum introduced the notion of "artificial ignorance," the idea of using software to remove the "known good" entries to let the analyst concentrate on the new/unusual stuff.

Hacking History - Part Four

2011-10-09T17:19:00.000+03:00

Dennis M. Ritchie R.I.P

2011-10-09T08:14:00.005+03:00

The news that Dennis M. Ritchie, the creator of the C Programming language, his co-authoring of the book The C Programming Language and well known for contributing to the creation of the UNIX Operating System, died on October 8, 2011, hit the Internet headlines.

It is an understatement that every computer scientist and professional have been standing on Dennis M. Ritchie's shoulders for years. Dennis M. Ritchie was a giant and can be recognized as such. Simply put, this world is a better, more productive and richer place because of Dennis M. Ritchie. We all owe a bit gratitude.

*/
#include <stdio.h>
int main () {
printf("goodbye, dmr. RIP.\n");
}
/*

IS Control 05 - Boundary Defence

2011-10-07T23:13:00.008+03:00

It has been recognized by many organizations that protecting the perimeter, whilst important, is no longer what it is all about. Many organizations have what what we generally consider a hard crunchy outside and a soft squishy centre. The "internal" network is expanding into people's homes via VPN, onto mobile devices, into partner organizations and more. So boundary protection is nowadays more appropriate than perimeter protection. This is reflected in some of the standards that are around (think PCI-DSS and various government specific standards). A few years ago internal network segmentation was not very common. Today we are starting to see more network segmentation within organizations and people are exercising more control over traffic that flows through the network.

Many of the more spectacular breaches in the past year or two have been traced back to client side attacks. This is where good boundary defenses can help reduce the risk. For example an organization that has thought about the different types of uses for their network, the location of their data and how that data is to be accessed can start segmenting the network. Measures can be implemented to control the traffic or monitor it at the different boundaries. Client side attacks may still work, but the ex-filtration of data may be detected and the impact of the breach is reduced as the infected machine no longer has full access to whole network.

When thinking about boundary defense it also pays to think about how traffic is supposed to flow through the environment. As part of this policies should be in place that govern the enforcement of this flow, e.g. no direct connections to the internet, all traffic must flow through a DMZ, etc. Once the architecture is straight and information flows are established within the environment, then it is time for adding technical controls.

Network segments flow controls

Firewalls, external facing and internal.
Routers with ACLs
Intrusion Prevention System (IPS)

Traffic flow controls

Web traffic. Web filter to detect malware, filter access to malicious domains, perform URL filtering.
Mail. Mail relay in DMZ, Implement Sender Policy Framework (SPF) and/or DKIM to help others identify authorised mail senders.
Remote Access. Two factor authentication, and control network traffic

Visibility Controls

DLP solutions. Monitor all traffic for sensitive information.
Intrusion Detection. - Identification of threats in traffic flows on the network or use of Host IDS to identify specific host threats.
Central logging and review (e.g. SIEM).

Please keep in mind that the aforementioned list of ways to defend the boundary is indicative and not exclusive.

IS Control 04 - Secure Configurations for Network Devices

2011-10-06T22:22:00.017+03:00

Hardening network infrastructure is an often overlooked step. For some reason, switches and routers often fall into the category of "it works, we must be done". Or, if it was hardened when installed, it'll be checked off as "done" (as in "done forever").

If we think about it, our routers, switches and firewalls touch "everything". We really should put a sustained effort into securing these devices as vital parts of the infrastructure. Don't limit ourselves to routers, switches and firewalls in this - we have to be sure to include Fiber Channel switches, Load Balancers, IPS servers and appliances in this category also.

This sustained effort should have all the usual suspects:

Backups
Change Control
Logging and Time synchronization
Name user accounts (often using a back-end directory for authentication)
Encrypted administration protocols
Verify boot Images before installing, and periodically after
Periodically update to remediate security exposures
Harden the device using a public or custom Benchmark
Audit the final configs against the Benchmark

Finally, let's not neglect vendor documentation in your efforts (Cisco, Juniper e.t.c). Vendor docs will include their own security and hardening guides and documentation - in many cases the same recommendations are covered, but the specific commands will of course vary from vendor to vendor. In other cases, they'll have security guidance that is specific to that vendor's features, platform or technology (fiber channel for instance will have quite different security guidance compared to ethernet)

Steve Jobs R.I.P.

2011-10-06T07:40:00.000+03:00

The technology world was saddened to learn today that Steve Jobs, co-founder and former CEO of Apple Inc., has passed away age 56. After bringing the company back from the brink of bankruptcy and turning it into one of the world's most successful technology companies, Jobs lost the battle with pancreatic cancer.

IS Control 03 - Secure Configurations for Hardware and Software

2011-10-05T22:32:00.006+03:00

Like the two prior controls, this is all about gaining control of our network. Control 1 and Control 2 identify all the hardware and software in our environment. With current Control, we make sure that this software (and hardware) is configured securely.

There are two problems that should be solved here:

establishment of a baseline configuration. There are a number of well respected organizations that publish standard configurations. For example the Center for Internet Security, the NSA and DISA hardening guides and of course guides provided from vendors like Apple and Microsoft. In most cases, these configuration guides will serve as a starting point, and we will have to adjust them to our local preferences and needs. Usually a couple of different configuration templates for different roles are required. Hardened configurations are known to cause problems with patching and some advanced software features. The closer we stick to one of the well established guidelines, the more likely we are going to find help in working around these problems.
maintenance of the baseline configuration. Nothing is static, in particular in IT. Configurations will change, patches need to be applied and new threats will require you to reconsider some of the choices we made when originally setting our default system configuration. However, all changes made to systems need to be carefully controlled and need to be applied consistently. Configuration management tools will help getting this job done. The configuration needs to be monitored continuously with tools like Aide or Tripwire to identify unauthorized changes quickly.

IS Control 02 - Inventory of Authorized and Unauthorized Software

2011-10-04T22:36:00.003+03:00

From a support point of view, when someone calls the Helpdesk with a "there's something going on with my pc" question, very early in the process one will want to know what is installed on that computer, and then what versions of each installed application. It's also handy to know "when" things were installed - if things just started to go wrong, knowing what was just installed is a must-know. Of course, the person making the call will always say "I didn't install anything", but once that list is available, the hasty "oh, except for that" is generally quickly forthcoming.

So a software inventory is useful for support, but what is the reason for being second on the Information Security Controls list?

Well, if the users has rights to install their own software, they will. Even if they do not have this right, they will keep trying in order to achieve this. As time goes by it is not likely that they'll install patches and updates, as well as version updates. This highlights the big gaping hole in the "I'll admin my own machine" end-user argument. Six months after they are given rights to administer their own computer, their software will be six months out of date, and the machine will have six months worth of security vulnerabilities on it (and most likely the exploits to match them). Not a good thing to plug back into the head office LAN.

For all the above reasons, an inventory of authorized and unauthorized software should be in place.

IS Control 01 - Inventory of Authorized and Unauthorized Devices

2011-10-03T22:30:00.000+03:00

Knowing what assets are in an environment is critical to the security of the environment. We know that many attackers use automated processes to identify and attack machines on the internet. If we are not aware of what internet facing information assets, or they are not controlled, then it is likely that they will be discovered and compromised quickly. So it is quite important to know what is actually there.

In order to achieve that, one needs to be able to control what is plugged in. Failing that, one needs to know when something has been plugged in. 802.1x controls or other forms of Network Access Control will help achieve the first, but this may not be suitable for all areas of an environment.

Detecting what is plugged in can be achieved in a number of ways. Tools like arpwatch will detect when something is plugged in. One could scan the network segment on a regular basis using something like nmap and use ndiff to compare the results. This will let us know when something is connected to the network.

One may be able to watch DHCP allocations and detect or prevent unauthorised allocations. In order for it to be effective some sort of inventory needs to be in place, since if one doesn't know what he has, then hr will not know what should or should not be there. The inventory should document the operating systems in use, the types of hardware used, switch types, printer types etc.

Social Engineering Assessment

2011-10-02T21:25:00.002+03:00

Attackers prey on humans’ inherent trusting nature, making the “human network” an easy avenue to gain access to sensitive information or to fully compromise an organization. The attacker works to gain a level of comfort or form a trust relationship with the individual (on the phone or via other means, i.e. email), and leverage that trust for an attack.

There are several components of Social Engineering Assessments, to address different ways of prompting a person to divulge information. Typical assessments utilize phone calls to individuals within a company with the objective of convincing the user to reveal sensitive information.

Originating phone numbers can be “spoofed” to appear to be calling from your phone block, to persuade the individual to download backdoors or to reveal such sensitive information as usernames, passwords, credit card information, salary information, and trade secrets.

Others, like client-side attacks, simulate the main attack methods of the hacking community: An attacker gains full access to an organization’s network and information assets simply by getting an employee to browse a Web site.

Because most organizations’ Internet-facing assets are a high security zone with layers of protection, attackers have shifted their methods and re-focused their attention onto organizations’ employees, taking advantage of human nature and weak security in client-side information assets.

Information (Cyber) Security Awareness Month 2011

2011-10-01T20:57:00.020+03:00

Information security is a vast field and it can be difficult to determine where our efforts will do the most good.

This year for Cyber Security Awareness Month the Internet Storm Center, part of the SANS Institute, are going to go through 20 critical controls, been built to provide guidance and address those areas that will improve the over all security of the organisation.

We should keep in mind, that even when those controls are implemented it is often difficult to determine whether they are working as expected or they are achieving their objective.

Finally, those controls won't solve all our problems, but they have the potential to solve many of those when implemented.

Wikinomics

2011-09-30T14:10:00.000+03:00

Wikinomics discusses many excellent and interesting high-level collaboration concepts.

The book takes numerous examples of next generation collaboration and social networks to point to the potential of the next generation of the web where customization, tailoring, self-publishing are viable business activities. The examples which range from assaying gold deposits to creating new rap albums are compelling. They lay the foundation for the principles of wikinomics that include:

Being open to allow customers, peers and others more access to your content, intellectual capital to collaborate and create something new
Peering to recognize that people form their own communities to create value, such as open source, and prefer these communities to traditional hierarchies that concentrate on control
Sharing to overturn the economics of scarcity in favor of wide distribution and tailoring. In this regard, value comes not form distribution but from application of your products and services

Don Tapscott and Anthony D. Williams have written an intriguing, necessary and, in some ways, groundbreaking book, which I would recommend to everyone...

Quote

2011-09-29T15:46:00.000+03:00

Three can keep a secret if two are dead - Benjamin Franklin

How to create an ISO image

2011-09-28T13:53:00.001+03:00

Trying to copy an entire disk image using cp command may sometimes not be successful, because cp omits the final block of the file, if it is of an unexpected length;

To the contrary, dd command will always complete successfully the copy of any disk image.

dd if=/dev/cdrom of=/home/dipin/mydisk.iso bs=2048 conv=sync,notrunc

whereas dev/cdrom and mydisk.iso should be replaced with specific file names and notrunc means do not truncate the output file

Samurai Web Testing Framework

2011-09-27T20:38:00.003+03:00

The Samurai Web Testing Framework, by InGuardians, is a live linux environment that has been pre-configured to function as a web pen-testing environment. The LiveCD contains the best of the open source and free tools that focus on testing and attacking websites.

Hacking History - Part Three

2011-09-26T11:54:00.000+03:00

Work@Home Assessment

2011-09-23T22:09:00.003+03:00

Although telecommuting, or working at home, has been offered by organizations for years, most of the times the architecture surrounding the remote access environment has never been tested. What an employee does on their computer at home can generate a host of issues that almost every organization would never face if that employee were in the office every day.

It’s important to test both technical and procedural controls to ensure proper safeguards have been implemented effectively.

For technical controls, there are two primary areas of review:

the remote access architecture including VPN, and
the end-user environment including patch levels and other host controls.

For procedural controls, the focus should be on reviewing an organization’s respective policies and procedures.

Object Oriented Programmer World

2011-09-21T22:35:00.002+03:00

Keypass

2011-09-20T09:05:00.000+03:00

Everyone of us need to remember a whole lot of different passwords for different sites/services we are using. We almost always need a password for the Windows network logon, our e-mail account, our website's FTP password, online passwords (like website member account), etc. The list is endless. Also, we should regularly change the passwords we use for each account. Because if we use only one password everywhere and someone gets this password we are in serious trouble... A serious problem. Whoever has our password would have access to all our accounts we are using, with the opportunity to impersonate us. Could you imagine?

KeyPass is a free open source password manager, which helps to manage our list of passwords in a secure way. We can include all our passwords in one database, which is locked with one master key or a key file. So we only have to remember one single master password or select the alternative of a key file to unlock the whole database which is encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).

Risk Management ISO Standard

2011-09-18T12:26:00.001+03:00

ISO Standard for Effective Management of Risk - ISO 31000, provides principles, framework and a process for managing any form of risk in a transparent, systematic and credible manner within any scope or context.

The standard recommends that organizations develop, implement and continuously improve a risk management framework as an integral component of their management system.

ISO 31000 purpose is to help organizations:

Increase the likelihood of achieving objectives
Encourage proactive management
Be aware of the need to identify and treat risk throughout the organization
Improve the identification of opportunities and threats
Comply with relevant legal and regulatory requirements and international norms
Improve financial reporting
Improve governance
Improve stakeholder confidence and trust
Establish a reliable basis for decision making and planning
Improve controls
Effectively allocate and use resources for risk treatment
Improve operational effectiveness and efficiency
Enhance health and safety performance, as well as environmental protection
Improve loss prevention and incident management
Minimize losses
Improve organizational learning
Improve organizational resilience.

ISO 31000 can be applied to any public, private or community enterprise, association, group or individual.

Ubuntu Setup shell

2011-09-16T11:34:00.001+03:00

A few days ago, due to a GRUB error, I had to format one of my PCs and clean install Ubuntu from scratch.

Such a decision could be very easy or very difficult, depending on how much on how much will be lost. And I do not refer only to programs, which can be found very easily, I refer to the program and the full system configuration details.

The solution to this problem is unexpectedly easy. A shell script can do all the work for us:

Add the recommended repositories
Download and install the latest updates
Installs Ubuntu Tweak
Install codecs and the necessary plugins (Java and Flash) for Web Browser
Installs and setups the MPlayer
Uninstall the Empathy and Pidgin installs

Anyone who wants to give it a try can download the script from here.

Quote

2011-09-15T15:45:00.009+03:00

Data is the pollution of the information age - Bruce Schneier

Incident Response Plan Gap Assessment

2011-09-14T11:08:00.004+03:00

When an event occurs that adversely affects the safety and security of an organization’s personnel, information assets, and information, a predefined (designed) Incident Response Plan (IRP) is what is needed to bring together the required resources in an organized way during a chaotic time.

Most organizations do not have a well-defined IRP that:

ensures an approved policy is in place to define and address an incident, and
that incorporates and tests existing incident response procedures.

During an IRP Gap Assessment, existing gaps within the referenced policies, response methodologies, and accompanying procedures are identified.

Such as an assessment is strongly recommended to identify any security exposures or threats that are being missed within the current security program. This provides assurance that the IRP is properly implemented and tested, and correctly follows approved policies.

Crypto Quiz

2011-09-12T18:45:00.002+03:00

This is another chipher text puzzle.

br b xsu's lsad s gbcbup zbupbup xtfuqhv ztupz, vtf'gg zdd ld mbxabup fm xsuz sgtup qed zbkd trqed htsk. - jgsad zedgqtu, 1994

Hacking History - Part Two

2011-09-10T15:55:00.006+03:00

The Phone Phreaking has become widespread and due to the easy availability of Blue Boxes, more and more people are resorting to making free phone calls. Of course, AT&T discovered the glitch and set the cops behind Phone Phreakers. Blue Boxes became banned items and possession of one, constituted a crime.

During this time Steve Wozniak and Steve Jobs met up with John Draper, learnt the art of Phone Phreaking and started selling Blue Boxes. This was Apple's humble beginning.

Privacy Impact Assessment

2011-09-09T21:23:00.004+03:00

Although technically not a security assessment, Privacy Impact Assessment (PIA) is a process which enables organisations to anticipate and address the likely impacts of new initiatives, foresee problems, and negotiate solutions, in other words is a critical component of understanding an organization’s risk as it relates to protecting Personally Identifiable Information (PII). Risks can be managed through the gathering and sharing of information with stakeholders. Information systems can be designed to avoid unnecessary privacy intrusion, and features can be built in from the outset that reduce privacy intrusion.

A Privacy Impact Assessment is comprised of a privacy risk analysis, the identification of domestic and international data flows, the assessment of PII safeguards and privacy controls, and the development of a remediation plan and next steps.

PIAs have become mainstream activities in Canada, the USA and Australia, particularly in the public sector, and in some jurisdictions are legally required. Their use is also increasing in private sector projects that have significant potential for privacy impact and in personal-data-intensive business sectors.

Where to post your status updates

2011-09-08T18:47:00.000+03:00

OWASP Joomla Vulnerability Scanner

2011-09-06T09:34:00.004+03:00

OWASP Joomla Vulnerability Scanner version 0.0.1 of the regularly-updated signature-based scanner that can detect file inclusion, sql injection, command execution, XSS, DOS, directory traversal vulnerabilities of a target Joomla web site was released by OWASP.

The following features are currently available.

Exact version Probing (the scanner can tell whether a target is running version 1.5.12)
Common Joomla! based web application firewall detection
Searching known vulnerabilities of Joomla! and its components
Reporting to Text & HTML output
Immediate update capability via scanner or svn

Sudo Power

2011-09-05T18:08:00.002+03:00

Cryptography Engineering

2011-09-04T21:49:00.001+03:00

This is the updated version of the classic cryptography book titled Applied Cryptography.

I have a new book, sort of. Cryptography Engineering is really the second edition of Practical Cryptography. Niels Ferguson and I wrote Practical Cryptography in 2003. Tadayoshi Kohno did most of the update work—and added exercises to make it more suitable as a textbook—and is the third author on Cryptography Engineering. (I didn't like it that Wiley changed the title; I think it's too close to Ross Anderson's excellent Security Engineering.)

Cryptography Engineering is a techie book; it's for practitioners who are implementing cryptography or for people who want to learn more about the nitty-gritty of how cryptography works and what the implementation pitfalls are. If you've already bought Practical Cryptography, there's no need to upgrade unless you're actually using it.

Microsoft God Mode

2011-09-03T15:02:00.000+03:00

Windows 7 Operating System has a hidden God Mode that can be enabled rather easily. Ι

Ιf you are on Windows 7, create a new folder and name it


GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}

The folder icon would change and it would get the name GodMode. This folder when opened would give you a long list of customizations that can be accessed from a central location.

Have fun...

Applied Cryptography: Protocols, Algorithms, and Source Code in C, Second Edition

2011-09-02T17:42:00.002+03:00

Cryptographic techniques have applications far beyond the obvious uses of encoding and decoding information. For Internet developers who need to know about capabilities, such as digital signatures, that depend on cryptographic techniques, there's no better overview than Applied Cryptography, the definitive book on the subject. Bruce Schneier covers general classes of cryptographic protocols and then specific techniques, detailing the inner workings of real-world cryptographic algorithms including the Data Encryption Standard and RSA public-key cryptosystems.

Bruce Schneier's Applied Cryptography is an excellent book for anyone interested in cryptology from an amateur level to actually being involved in the development of new encryption mechanisms. Schneier's book begins with a simple discussion of what is cryptography, and then he proceeds through the history of various encryption algorithms and their functioning. The last portion of the book contains C code for several public-domain encryption algorithms.

The book includes source-code listings and extensive advice on the practical aspects of cryptography implementation, such as the importance of generating truly random numbers and of keeping keys secure.

Quote

2011-09-01T07:01:00.014+03:00

The single biggest problem in communication is the illusion that it has taken place - George Bernard Shaw

Information Security vs. Compliance

2011-08-30T08:09:00.000+03:00

MultiISO LiveDVD v2.0

2011-08-29T20:33:00.047+03:00

MultiISO LiveDVD is an integrated Live DVD technology which combines some of the very popular Live CD ISOs already available on the internet. It can be used for security reconnaissance, vulnerability identification, penetration testing, system rescue, media center and multimedia, system recovery, etc.

MultiISO LiveDVD Version 2.0 consists of the following distributions:

Summer Drink Calling

2011-08-28T08:54:00.003+03:00

Since today is the last August summer day that we are going to spend \on a beach, I cannot think of anything better than a cold, refreshing mojito.

Ingredients

4.5cl. Havana Club
3cl. Fresh Lime Juice
2tsp. White Sugar
6 Mint Leaves
Soda Water

Method
Muddle mint leaves with the sugar and the lime juice in the bottom of a Collins glass. Add the rest of the ingredients and fill with ice. Top with soda and stir well.

Finally, garnish with a sprig of mint.

Hacking History - Part One

2011-08-27T22:03:00.003+03:00

Every culture has its beginning somewhere. In this sense, Computer hacking is no exception.

The History of Hacking video series is a 5 part documentary which runs down memory lane and presents important figures, facts and personalities of the Hacking culture. In History of Hacking Part 1, we will look at Phone Phreaking and John Draper a.k.a Captain Crunch and try and understand the string of events which molded the Phone Phreaking culture.

John is the guy who figured out that the whistle in the Captain Crunch serials box, had the same tone as AT&T’s long distance calling telephony systems. Thus using this whistle it was possible for Phone Phreakers to make long distance calls for free.

Linux 20th anniversary

2011-08-25T22:00:00.040+03:00

On one midsummer's night, exactly 20 years ago, a student at the University of Helsinki named Linus Torvalds, posted a query to the newsgroup comp.os.minix.

What would you like to see most in minix?

That Usenet post was the literal beginning of the Linux OS.

Back in 1991, Unix had existed for about 20 years, Apple had come out with its Mac OS in 1984, and Microsoft had been flogging Windows since 1985.

Linus Torvalds ambitions for the "new (free) operating system" were modest. He envisioned it as "just a hobby, won't be big and professional like gnu", he just wanted to explore the capabilities of his PC's 386 processor. Eventually, his memory management, process switching and I/O experiments developed into something that resembled a rudimentary operating system kernel.

When Linus Torvalds released version 0.01 on the internet, his idea of a free Unix clone to which anyone could contribute touched a creative vein in people. Today, it would be impossible to imagine an IT world without Linux.

Steve Jobs on computers*

2011-08-24T10:21:00.022+03:00

It takes these very simple-minded instructions - "Go fetch a number, add it to this number, put the result there, perceive if it’s greater than this other number" but executes them at a rate of, let’s say, 1,000,000 per second. At 1,000,000 per second, the results appear to be magic - Steve Jobs

* Tribune to Steve Jobs that ended his tenure as CEO of Apple.

WindowsXP 10th anniversary

2011-08-24T08:26:00.015+03:00

It's hard to believe how time passes by. It was ten years ago that Microsoft launched what would become the world's most popular desktop operating system; Windows XP first hit retail shelves. Despite its not good security track record, ts innovative interface design (back then) and its performance made it the most popular operating system in the world so far, having powered countless home and business PCs (it crossed the 400 million mark way back in 2006).

Even today, it is still the second most popular operating system, right after it's youngest brother Windows7.

Its wide adoption and the respective consumer demand, Microsoft decided that it would keep shiping on PCs until late 2010 and has pledged to support it until April 8th of 2014.

Beautiful Security

2011-08-22T18:10:00.002+03:00

This collection of essays is a very clearly written introduction to a number of current topics and techniques in computer security.

It is not a how-to book, but it includes several case studies and gives you a good idea of what is happening in the field. For the most part the book does not assume prior knowledge in the field, although occasionally a bit of hacker or security jargon is used without being defined.

WhatWeb Application Scanner

2011-08-21T18:07:00.003+03:00

WhatWeb is a useful tool in identifying content management systems (CMS), blogging platforms, stats/analytics packages, javascript libraries, servers and more.

WhatWeb has over 250 plugins that can identify systems with obvious signs removed by looking for subtle clues.

These are both passive and aggressive plugins, passive plugins use information on the page, in cookies and in the URL to identify the system. Aggressive plugins guess URLs and request more files. Plugins are easy to write, there is no need for someone to know ruby to create them.

7+1 Firefox Privacy Add-ons

2011-08-20T22:48:00.000+03:00

Firefox isn't just a web browser, it's also a pillar of the Internet community. It is a great choice for those interested in a feature-rich, stable and secure browser. When it comes to security and privacy, the Firefox picture is compelling, with over 600 plug-ins related to privacy and security. From those plug-ins, I consider the following as the top of their breed.

NoScript
NoScript is a powerful add-on that blocks and blacklists Javascript, Java, Flash, and other plug-ins by default. It features protections against Cross-Site Scripting (XSS), Flash XSS and clickjacking, to name a few.

BetterPrivacy
BetterPrivacy is an add-on that lets you manage LSO-cookies - or, as they are commonly known, flash cookies. Flash cookies are a newer and more enhanced way of storing information about you and your online activities than traditional cookies. Unlike the traditional Web cookie, flash cookies don't expire and can't be deleted within the browser's interface. Even "delete your recent history" doesn't remove these "super cookies."

Adblock Plus
Adblock Plus is a simple add-on that gives granular control over page elements such as ads/banners content in your browser experience. Although it does use a region-specific block list, you can configure filters with great flexibility, blocking or allowing content as you see fit.

Foxproxy
Foxproxy is a feature-rich proxy management add-on. It allows ease and customization in managing your proxy setting.

Firebug
Although Firebug is technically a Web-development tool, it certainly holds its weight in helping protect our privacy/security. This tool allows us to monitor, debug and edit the content of any website live in any webpage within the browser.

Torbutton
Torbutton is a simple add-on that allows you to configure Firefox to use Tor. For those unfamiliar with Tor, it is a distributed, community run network that provides relative anonymity/privacy to those utilizing it. Torbutton allows for a Firefox user to easily and quickly turn on Tor for some basic anonymity in their Internet activities.

FireGPG
FireGPG is an add-on that allows integration with the cross-platform, free software encryption suite GnuPG. (GNU Privacy Guard). GnuPG is an OpenPGP standards-based free software encryption tool that allows you to encrypt and sign your communications. FireGPG allows you to encrypt, decrypt, sign, etc. directly within Firefox

And last, but not least..

ShareMeNot
ShareMeNot is a Firefox add-on for preventing tracking from third-party buttons (like the Facebook "Like" button or the Google "+1" button) until the user actually chooses to interact with them. In other words, ShareMeNot doesn't remove these buttons, but allows them to render on the page, preventing the cookies from being sent until the user actually clicks on them, at which point ShareMeNot releases the cookies and the user gets the desired behavior (they can Like or +1 the page).

Ethical Hacker Job Description

2011-08-18T20:29:00.000+03:00

An Ethical Hacker performs network and application-based security vulnerability assessments and penetration tests in accordance with industry-accepted methods and protocols.

Some of the key areas in which an Ethical Hacker is expected to be active are:

Networking
Windows and UNIX systems security
Applications & Scripts (C# / .NET, Python, BASH, Perl, Ruby)
Web security (IIS / Apache)
SQL
Cloud computing

The responsibilities of an Ethical Hacker include, but are not limited to:

Management of security projects, IT security penetration testing and vulnerability assessments using various network and application testing methodologies across public and private networks
Documentation and presentation of security-testing results (final reports and presentations) to the executive, middle management, and technical teams
Review of network architecture and security
Risk assessments, vulnerability assessments, and manage intrusion detection/prevention mechanisms
Management and remediation of the results of various security incidents as/when they occur
Evaluation of new and proposed security systems and technologies
Definition of monitoring criteria and process for ensuring that industry best practices are maintained
Assessment of security awareness training using social engineering

In order to be a successful Ethical Hacker, one has to hold the below skills and experiences:

Strong ethics and understanding of ethics in business and information security
Degree in either Computer Engineering, Computer Science, or Information Systems Management
Understanding and familiarity with common penetration testing methods and standards
Understanding of security issues on both Microsoft and *NIX operating systems
Strong knowledge of network equipment, protocols, cyphers
Experience with exploitation frameworks (e.g., MetaSploit, Core Impact)
Experience with vulnerability scanning tools (e.g., Qualys, Nessus, Nexpose, Saint)
Experience with web application vulnerability scanning tools (e.g., IBM AppScan, HP Webinspect, Acunetix, NTOSpider, Burpsuite)
Experience with static analysis tools (e.g., IBM Appscan Source, HP Fortify)
Experience with high level programming languages (e.g., Java, C, C++, dotNET)
Experience with web application development (e.g., ASP.NET, ASP, PHP, J2EE, JSP)
Minimum of 3 years work experience performing security penetration tests or internal technical security audits
Ability to present and articulate findings to technical staff and executives
Excellent analytical, organizational, and communication skills
Proficient English language written and oral communication skills
Investigative skills

If you love someone

2011-08-17T23:09:00.000+03:00

Shakespeare: if you love someone, set her free .... If she ever comes back, she's yours, if she doesn't, here's the poison, suicide yourself for her.

Optimist: If you love someone, set her free .... Don't worry, she will come back.

Suspicious: If you love someone, set her free .... If she ever comes back, ask her why.

Impatient: If you love someone, set her free .... If she doesn't comes back within some time forget her.

Patient: If you love someone, set her free .... If she doesn't come back, continue to wait until she comes back.

Playful: If you love someone, set her free .... *If she comes back, and if you love her still, set her free again, repeat*

C++ Programmer:
if(you-love(m_she))
m_she.free();
if(m_she == NULL)
m_she= new CShe;

Lawyers: If you love someone, set her free, Clause 1a of Paragraph 13a-1 in the second amendment of the Matrimonial Freedom Act clearly states that....

Bill Gates: If you love someone, set her free, if she comes back, I think we can charge her for re-installation fees but tell her that she's also going to get an upgrade.

Biologist: If you love someone, set her free, She'll evolve.

Statisticians: If you love someone, set her free, if she loves you, the probability of her coming back is high If she doesn't, the Weibull distribution and your relation was improbable anyway.

Salesman: If you love someone, set her free .... If she ever comes back, deal! If she doesn't, so what! "NEXT".

Schwarzenegger's fans: If you love someone, set her free, SHE'LL BE BACK!

Insurance agent: If you love someone, show her the plan .... If she ever comes back, sign her up, if she doesn't, keep follow up with her and never give up!

Physician: If you love someone, set her free.... If she ever comes back, it's the law of gravity, if she doesn't, either there's friction higher than the force or the angle of collision between two objects did not synchronize at the right angle.

Mathematician: If you love someone, set her free.... If she ever comes back, 1 + 1 = 2 (peanut!), If she doesn't, Y = 2X - log(0.46Y^2 + (cos(52/34X)) x 5Y^(-0.5)c) where c is the infinite constant of no turning point.

Nowadays' style: If you love someone, set her free. If she comes back, she is yours. If she doesn't, hunt her down and kill her...!!! or perhaps report to immigration that she is an illegal

If you love someone
Why in the first place set her free???
Careless Idiot

Cracking .zip files passwords

2011-08-15T20:57:00.000+03:00

One of the best tools to crack .zip file passwords in linux environments is fcrackzip.

fcrackzip is a fast password cracker partly written in assembler. It is able to crack password protected zip files with brute force or dictionary based attacks, optionally testing with unzip its results.

Install fcrackzip in Debian
sudo aptitude install fcrackzip

This will complete the installation.

fcrack Syntax

fcrackzip [-bDBchVvplum2] [--brute-force] [--dictionary] [--benchmark] [--charset characterset] [--help] [--validate] [--verbose] [--init-password string/path] [--length min-max] [--use-unzip] [--method name] [--modulo r/m] file

Santa Maria Name Day

2011-08-14T23:22:00.007+03:00

Even though I do not celebrate my name today, I would like to wish to all my good friends that do, to have a great Name Day.

Is there a better way to celebrate Santa Maria other than a Santa Maria cocktail?

Ingredients

1 oz Tequila
1 oz Spiced Rum
1 dash Sweet Vermouth
1 slice of Orange

Method
Combine all ingredients except orange in shaker with ice. Shake gently, and strain into chilled cocktail glass, then garnish with orange slice. Finally, serve in a cocktail glass.

Cheers guys and girls...

The Myths of Security

2011-08-13T13:33:00.000+03:00

If you think computer security has improved in recent years, The Myths of Security will shake you out of your complacency. Longtime security professional John Viega, formerly Chief Security Architect at McAfee, reports on the sorry state of the industry, and offers concrete suggestions for professionals and individuals confronting the issue.

Why is security so bad? With many more people online than just a few years ago, there are more attackers who are truly motivated. Attacks are sophisticated, subtle, and harder to detect than ever. But, as Viega notes, few people take the time to understand the situation and protect themselves accordingly. This book clarifies:

Why it's easier for bad guys to "own" your computer than you think
Why anti-virus software doesn't work well -- and one simple way to fix it
Whether Apple OS X is more secure than Windows
What Windows needs to do better
How to make strong authentication pervasive
Why patch management is so bad
Whether there's anything you can do about identity theft
Five easy steps for fixing application security, and more

Provocative, insightful, and always controversial, The Myths of Security not only addresses IT professionals who deal with security issues, but also speaks to Mac and PC users who spend time online.

IBM Personal Computer 30th Anniversary

2011-08-12T08:51:00.019+03:00

IBM Personal Computer, commonly known as IBM PC, is the original version and progenitor of the IBM PC compatible hardware platform. The first model, IBM model number 5150, was introduced exactly 30 years ago, on the 12th of August 1981, created by a team of engineers and designers under the direction of Don Estridge of the IBM Entry Systems Division.

Even though the term "personal computer" was already in use before 1981 - as early as 1972 to characterize Xerox PARC's Alto - because of the success of the IBM Personal Computer, the term PC came to mean more specifically a microcomputer compatible with IBM's PC products.

IBM PC Characteristics

Release date: August 12, 1981
Discontinued: April 2, 1987
Operating System: IBM BASIC / PC-DOS 1.0, CP/M-86, UCSD p-System
CPU: Intel 8088 @ 4.77 MHz
Memory: 16 kB ~ 256 kB
Other Features: Floppy disk or cassette system

The success of the IBM computer led other companies to develop IBM Compatibles, which in turn led the IBM PC to become the industry standard.

Password Strength

2011-08-10T06:19:00.001+03:00

First Crypto Quiz

2011-08-09T00:04:00.002+03:00

This is a pretty easy chipher text puzzle. Could you decrypt it?

Pbatenghyngvbaf lbh unir qvfpbirerq gung guvf zrffntr jnf rapelcgrq hfvat ebg guvegrra

Basic Cryptanalysis for Substitution Ciphers

2011-08-08T23:52:00.000+03:00

All substitution ciphers/cryptograms can be cracked by using the following tips:

Scan through the cipher, looking for single-letter words. They’re almost definitely A or I.
Count how many times each symbol appears in the puzzle. The most frequent symbol is probably E. It could also be T, A, or O, especially if the cryptogram is fairly short.
Pencil in your guesses over the ciphertext. Do typical word fragments start to reveal themselves? Be prepared to erase and change your guesses!
Look for apostrophes. They’re generally followed by S, T, D, M, LL, or RE.
Look for repeating letter patterns. They may be common letter groups, such as TH, SH, RE, CH, TR, ING, ION, and ENT.
Try to decipher two-, three-, and four-letter words.
- Two-letter words almost always have one vowel and one consonant. The five most common two-letter words, in order of frequency, are OF, TO, IN, IS, and IT.
- The most common three-letter words, in order of frequency, are THE, AND, FOR, WAS, and HIS.
- The most common four-letter word is THAT. An encrypted word with the pattern 1 - - 1 is likely to be THAT. However, the pattern 1 - - 1 also represents 30 other words, so keep this in mind!
Scan for double letters. They’re most likely to be LL, followed in frequency by EE, SS, OO, and TT (and on to less commonly seen doubles).

Change the World

2011-08-07T18:55:00.000+03:00

I would love to change the world, but they do not give me the source code - j@nus

First Web Page 20th Anniversary

2011-08-06T08:46:00.016+03:00

Today, there are millions, most probably billions pages do you think are online. However, none of them existed 20 years ago.

On August 6, 1991, Tim Berners-Lee posted the first website, and the world wide web became publicly available.

This first website was dedicated to information on the World Wide Web project and explained what people could find online. It ran on a NeXT computer at the European Organization for Nuclear Research (CERN).

The first web page address was http://info.cern.ch/hypertext/WWW/TheProject.html, it outlined how to create Web pages and explained more about hypertext and in 1992 it looked like this (no screenshots were taken of the site before 1992).

Hiring and Career Guides to the Information Security Profession

2011-08-05T22:55:00.002+03:00

(ISC)² has published “Hiring Guide to the Information Security Profession”, a free reference guide for Human Resources (HR) professionals, hiring managers and recruiters, provides tips on how to best find, recruit, hire and retain qualified information security staff.

Written with input from leading Human Resources, recruiting professionals and subject-matter experts, the Hiring Guide highlights the history and growth of the information security profession, typical job functions and career paths, and ideal candidate traits.

In addition to that, Career Guide to the Information Security Profession is published as a free reference guide for Information Security professionals providing tips on how to best find and fill worth noticed Information Security vacancies.

Lightweight Portable Security

2011-08-04T19:19:00.021+03:00

Lightweight Portable Security (LPS), created as part of the Software Protection Initiative, is a Linux LiveCD focusing on privacy and security.

Targeting telecommuters and others who need to access corporate or secured networks from untrusted remote locations, Lightweight Portable Security (LPS) creates a secure end node from just about any Intel-based PC or Mac computer.

It works by booting a thin Linux operating system from a CD or USB flash disk without mounting a local hard drive. Nothing need be installed, and administrator privileges are not required. It executes from RAM, providing a web browser, a file manager and some other interesting tools. Finally, it does not mount the hard drive of the host machine, so no trace of work activity can be written to the local computer.

Although there are other security and privacy focused Linux distributions and technologies available, including Security Enhanced Linux (SELinux), Lightweight Portable Security (LPS)'s telecommuter focus, makes it a potentially compelling choice for the growing masses of business users who rely on remote access. As a regular telecommuter myself, this is one I'll be checking out.

Summer Vacation Information Security

2011-08-03T07:03:00.074+03:00

Don't let computer threats ruin your summer vacation. Follow these few easy tips and enjoy the summer with peace of mind.

As summer time approaches, PandaLabs, the anti-malware laboratory of Panda Security, advises users to take particular care with social networking sites to prevent falling victim to infection and computer fraud.

Having the latest Internet trends in mind, the following advice will assist in safeguarding users' security during summer vacation season:

Be careful with information posted on social networks. Details like holiday dates, especially if details of residential address are available on the same social network should not be posted online.
Use parental control programs. During the summer vacation, children will no doubt be using the computer more than usual. That's why it is as important as ever to instruct them on how to use the Internet safely. It's a good idea to set timetables for using the Internet, keep an eye on them when they are browsing and prevent them from accessing certain pages or content that could be unsuitable for them. Given that parents will not always be around to monitor how children use the Web, it is advisable to use a parental control program, a tool that will help establish which Web pages children can see, and which they can't.
Pay attention to your email, as this is a frequently used channel for spreading threats, as well as phishing attacks and other scams distributed in spam. Typically at this time of year, waves of spam emerge offering unrealistically cheap holidays. These messages either surreptitiously ask users to reveal confidential data or prompt them to download information, which is usualy an infected file. So, needless to say, all emails should be ignored from unknown senders.
Take precautions if shared computers are used. Passwords should not be entered in shared computers as you can never be sure whether they are infected or not. If surfing the Web or chatting in an Internet cafe, using a computer with an up-to-date antivirus solution installed is recommended. The following precautions should be taken as well: Firstly, any option that saves passwords on the local computer when logging into accounts from public computers should not be enabled. This would obviously allow the next user of the computer to access any of your accounts. Also, make sure the computer is not infected. At the first suspicious sign (pop-ups, malfunction, etc.), stop using the computer. Finally,shared computers for bank transfers should not be used.
The latest security patches for all applications should be promptly installed. Cyber-crooks frequently launch attacks that exploit security holes in commonly-used programs. Developers are continually making security patches available to resolve the problems detected. It is therefore a good idea to update applications on your computer just before you go on vacation and also when you come back.
Leave router switched off. This will prevent other users connecting to your network -possibly with malicious aims- in your absence.
Don't connect to unprotected Wi-Fi networks, as this could be a hook up to a network set up by hackers to steal any information that is shared across the Internet. It is always better to use secure, trusted networks.
Make sure that an up-to-date and active antivirus solution is installed on the computer used.

Quote

2011-08-02T08:44:00.007+03:00

Wise men talk because they have something to say; fools, because they have to say something - Plato

On Air Reloaded

2011-08-01T00:12:00.002+03:00

I am on air at last... Things have been a little bit strange the last three years and I hope that this will be an outlet of the madness of the past.

This effort has not, and never will, come to an end. To the contrary, this is the beginning and will be evolving as long as I have the time and I am in the right mood.

Stay tuned...