Friday, June 21, 2002

Core makes an Impact
PENETRATION TESTING is a standard method for evaluating an organization's network security posture. These assessments can be performed from the standpoint of a malicious insider on the corporate network or a malicious outsider trying to compromise systems from the Internet. Some organizations perform these tests internally, but most hire outside consulting firms.

In either case, because there is no standard method of performing a penetration test, the quality of the results depends to a great extent on the knowledge and skill of the penetration testers on the job that day. Core Security Technologies has addressed this problem with Impact, a penetration testing framework that allows organizations to share knowledge and provide consistency across testing engagements. Its ease of use, innovation, and flexibility earned it a Deploy rating in our tests.

Thursday, June 20, 2002

PGP Encryption Explained
Atfer I was asked to write a short tutorial on PGP / Encryption and E-mail security for newbies, I did what all writers do in such a case,I started to do some research. Because although I have been working with PGP for quite some years now, one can never know everything. I was going to write about PGP, so the best place to start seemed to be the official PGP manual that comes with the PGP software. But, after reading the first few pages of the official manual I came to the conclusion that the people of Network Associates have done a great job in making the official manual simple and easily understandable for anyone without any sort of knowledge of or experience with, encryption. So why would I write another tutorial aboutit then? That's what I asked myself. Why do all this work when someone hasdone it already? Well, first of all, I could just point the official manual out to you guys, and tell you to read it, but then most of you probablywouldn't, and second of all, that would leave the Neworder newsletter (for which this tutorial is originally written) without an article. Then what? Well I could just copy everything that's in the official manual, but that's not like me, and no-one would benefit from that. However, I decided to write the tutorial anyway. The basic introduction to Chryptography might have some resemblances to the PGP official manual, but hey... that's quite normal since both documents are about PGP ;-) In the rest o
What Really Is ‘Forensics’?
It's several years later, and now every security professional services company 'does forensics.' Trouble is, they still all define it differently. When it comes to seeking help in digital forensics and incident investigation it absolutely is a 'buyer beware' market. I have heard of very reputable, high-level training for one of the most important certifications in our business that absolutely has it wrong in how we should perform such basic forensic functions as collecting an image from a computer under investigation. The training teaches (and, presumably, the test requires), as an example that you do things in the computer shutdown process that no experienced forensic professional would ever do.
Echelog
Echelog is a distributed agent/server system. Agents are installed on monitored computers and they are actively monitoring them (logged on users, running processes, network connections, system logs... whatever) and sending gathered data to a server (or more of them). The communication between agents and server is trusted - secured and authenticated (SSL/certificates). Server receives data, process it and stores it. Later you can browse through the log (simple commandline tools or web frontend).
Understanding Network Encryption
Network encryption ensures that data sent across a network from one host to another is unreadable to a third party. If a sniffer intercepts the data, it finds the data unusable because the data is encrypted.Therefore, a hacker cannot view any usernames or passwords, and any information sent across the network is safe.The requirement is that all communicating systems must support the same network encryption technique, such as Secure Shell (SSH). Network encryption is used for any data transfer that requires confidentiality.
Since the Internet is a public network, network encryption is essential. E-commerce transactions must ensure confidentiality to protect credit card and personal information. Personal banking Web sites and investment companies often require extremely sensitive information to be sent, such as bank account numbers and tax identification numbers. If these usernames, passwords, and personal information fell into the wrong hands, the information could be used for a front-door attack, since the hacker could pose as a legitimate user. Rlogin, remote shell (rsh), and Telnet are three notoriously unsafe protocols.
They do not use encryption for remote logins or any type of data transmission. For example, if you are an administrator and you want to log in to a system via Telnet, your username and login are sent in clear text. Rsh and rlogin send all data between two hosts in clear text as well (but a password is not required).

Wednesday, June 19, 2002

WhiteHat Arsenal Tool Set Aims to Knock Off Web Site Black Hats
Only a handful of tools can assist with QoS (Quality of Service) testing before applications go live. Enter WhiteHat Security's WhiteHat Arsenal 2.0, a collection of basic tools that help security professionals test Web applications for common security vulnerabilities in the midrange of competitive pricing. But though Arsenal has several good features, the lack of automation for basic operation and nonexistent vulnerability identification will hinder users who don't have solid security and programming backgrounds.
Although a security background is an obvious criteria for using a security tool, the need for a programming background may come as a surprise. But to best use Arsenal to protect Web apps, you need to understand the basics of how the languages behind these applications (ASP, PHP and ColdFusion) affect Web security.

Bottom line: Arsenal is good for security pros conducting basic Web application testing, but the cost is high considering the lack of features.
Multi-Port Tap
In-Line Taps in multiport configurations give simultaneous access to all network traffic, including all physical errors, from both sides of a full duplex link. along with the ability to rove between segments. In-Line Taps maximize visibility and minimize link downtime on full duplex switched LANs and SANs. In-Line Taps are completely passive to network traffic and allow for analysis of individual segments. Finisar Systems' 10/100 Mb In-Line UTP Taps support the new IEEE 802.3af in-line power standard. The UTP Tap IL/12 when installed in the "in-line power" link, will pass the 48 volt power signal, unaffected, to the IP phone while copying the data signal faithfully to the analyzer.
Implementing Networks Taps with Network Intrusion
Over the past decade or so, the use of switches to replace hubs has increased substantially. This is largely due to the increased size of networks, and the requirement for increasingly faster and more efficient networks. On most networks, the data must now be dependable and timely. This transition from hubs to switches, however, has generated a conflict with already deployed and designed network intrusion detection systems.
To combat design conflicts between network intrusion detection systems (NIDS) and switches, network taps were created. Network taps essentially allow all traffic on a network device to be monitored. Network taps are also very useful for passive network troubleshooting and analysis. Further, the tap makes the related NIDS system more secure, preventing attackers from being able to directly attack the NIDS system. This article will offer an introductory overview of taps, including: what taps are, why they should be implemented, their role in improving network security, how they should be implemented, and the economic benefits of taps.
u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h
Windows NT Audit tools.
Office of Surveillance Commissioners
This website is primarily designed to be used by those who authorise and conduct covert surveillance operations and covert human intelligence sources (as informants and undercover officers are now known). It shows you how to carry out these activities in compliance with the powers granted by Parliament, and how the OSC monitors the exercise of those powers. By way of practical help we have identified some key points, some sources of advice, and some examples of good and bad practice.
All you need to know about legal spying
The government has launched a website to advise organisations on how to snoop on phone calls, email and web activity without breaking the law.

Last week it was announced that the government will enforce its controversial Regulation of Investigatory Powers Act (RIPA) enabling a larger array of organisations to legitimately carry out covert surveillance.
: Assessing Security Risk, Part One: What is Risk A
The Internet, like the Wild West of old, is an uncharted new world, full of fresh and exciting opportunities. However, like the Wild West, the Internet is also fraught with new threats and obstacles; dangers the average businessman and home user hasn't even begun to understand. But I don’t have to tell you this. You’ve heard that exact speech at just about every single security conference or seminar you’ve ever attended, usually accompanied by a veritable array of slides and graphs demonstrating exactly how serious the threat is and how many millions of dollars your company stands to loose. The “death toll” statistic are then almost always followed by a sales pitch for some or other product that’s supposed to make it all go away. Yeah right.

Tuesday, June 18, 2002

The Programmer's File Format Collection
Welcome to Wotsit's Format, the complete programmer's resource on the net. This site contains file format information on hundreds of different file types and all sorts of other useful programming information; algorithms, source code, specifications, etc.
Maximizing Network Protection with Multiple Anti-Virus Scanners
One Virus Engine Is Not Enough. The Case for Maximizing Network Protection with Multiple Anti-Virus Scanners.
All responsible organizations protect their networks from virus attacks by installing an email security product. Yet, how does one choose the right solution out of the wide variety of virus scanning engines available? And is one anti-virus engine enough to protect the internal network from mass-mailing viruses, worms and other email-borne threats?

The tests detailed in this paper show that each virus scanner presents its own strengths and weaknesses. This means that no single anti-virus engine can fully protect against all possible threats. As a result, simultaneous use of more than one virus engine can achieve greater security than is technically possible when relying on only one anti-virus engine. The use of multiple virus engines also enables security administrators to be vendor independent when it comes to virus scanning, thereby able to use the best of breed virus engines available on the market.

Note: This paper does not cover desktop virus scanners. Its aim is to feature several popular virus-scanning engines and highlight the differences between each.

Monday, June 17, 2002

Jeanne: Reverse Proxy Server
This project provides a new way of securing websites through the use of Reverse Proxy Servers. Using a different network setup, in which the webserver is actually placed behind the firewall and the proxy receives all HTTP requests, higher security for the website can be achieved. This increased security is gained through the use of an access list plug-in for Squid (a normal proxy server program) such that only valid requests are fulfilled, and invalid URLs (such as Unicode directory traversal strings) are rejected. Thus, a normally-vulnerable webserver can be protected by the reverse proxy.
Odyssey
Odyssey is an end-to-end 802.1x security solution that not only permits users to securely access wireless LANs (WLANs), but also can be easily and widely deployed and managed across an enterprise network.
Odyssey includes client and server software. It secures the authentication and connection of WLAN users, ensuring that only authorized users can connect, that connection credentials will not be compromised, and that data privacy will be maintained.
Network Port Security
The lack of authentication within low level network communication protocols presents a potential area of abuse by rogue or compromised hosts. Data link technologies such as Ethernet inherently allow end stations to alter the source medium access control (MAC) address on any frames transmitted. While this may be useful in some circumstances, it can be used to launch a number of low level network communication attacks. This document proposes a means with which to limit the abuse that can be done by some types of low level source addressing attacks.
Secure Deletion of Data from Magnetic and Solid-State Memory
With the use of increasingly sophisticated encryption systems, an attacker wishing to gain access to sensitive data is forced to look elsewhere for information. One avenue of attack is the recovery of supposedly erased data from magnetic media or random-access memory. This paper covers some of the methods available to recover erased data and presents schemes to make this recovery significantly more difficult.
Incident Response and Digital Forensics Resource List

  • Surveillance, Traps, and sandboxing:

  • Evidence Capturing Software

  • Evidence Capturing Hardware

  • Evidence Examination

  • Data/Evidence File Recovery

  • Bootable CD-ROMs

  • Certifications

  • Training

  • Professional Organizations

  • Email Lists

  • Web Resources

  • Books

  • On-Line Text

  • Network Forensics

  • IDS

CRYPTOREVERSING - On cryptosystems untrustworthiness The reasons of cryptosystems untrustworthiness can be divided into 4 main groups: application of weak algorithms, cryptalgorithms wrong implementation or application and human factor. There is clear parallel between these reasons and computer system security violation ones.

Because of pointed reasons there were and still there are security problems in all kinds of software, where cryptalgorithms are used, be it operating systems; cryptographic protocols; clients and servers supporting them; office programs; user encryption utilities or popular archivers.

To proper implement your own cryptosystem you should not only learn somebody’s mistakes and understand the reasons of their occurrence, but perhaps use sophisticated protection programming approaches and special design tools.

Sunday, June 16, 2002

Mind Games - Social Engineering
This small article is a brief overview on social engineering. It talks a bit about the psychology of social engineering, the security threat it imposes and about the methods used for it. Basically, this article is a summary that covers the important facts (from my point of view) about social engineering.
ICQ Security Exposed, a non-kiddie paper
Well, as I do not tend to write kiddie stuff, I decided to write this in order to proove that statement false :p. This ICQ security tutorial will not deal with whatever little scriptkiddie tools might be found out there. I will discuss some decent ICQ security, yet I will do it as simple as possible. I will offer information on general and abstract ICQ security issues, on flaws directly or indirectly related to ICQ. Informations will range from staying invisible to getting familiar with the ICQ protocol - have fun!
IBM software aims to shut down "drive-by hacking"
International Business Machines Corp. on Monday announced technology designed to close some of the holes in corporate wireless networks and prevent outsiders from stealing data through "drive-by hacking." The IBM software sits on laptops and PCs, analyzing traffic on an internal 802.11 wireless network and sending data to a centralized server, said Dave Safford, manager of the global security analysis lab at IBM Research in Hawthorne, New York. "It turns machines into wireless auditing sniffers," he said. The server then "crunches" the data and "spits out" a report that can tell administrators if there are wireless access points that have been misconfigured, Safford said. Access points are physical connections to the computer network located throughout a site. Wireless networks are cheap, costing less than $100, and convenient to use, allowing workers to carry laptops from office to conference room to cafeteria. Because they are easy to misconfigure, they pose a significant security risk, easily exposing a computer network to attackers outside the building using specialized wireless sniffers