XML security: A who's who
When a standard is deployed as openly as XML, businesses are bound to have security concerns.
The need to control content’s distribution and ensure its integrity keeps many companies from deploying XML without an extranet. Proposed standards will address security issues, and these standards are being further developed to allow for granular control over XML content. This article introduces and explains five proposed XML standards that deal with security issues
Wednesday, July 10, 2002
The Keys to a More Secure Future
What are the factors that will determine how safe our world can be made? Here's a look at several, including some basic human qualities
Sometime in July, a team of hackers will try to break into the computer networks that run key utilities around the U.S. The strikes won't come from Islamic cyberterrorists -- who in recent days have been rumored to be planning such attacks themselves -- but rather from friendly teams of security analysts the Electric Power Research Institute has hired to find chinks in the armor of conventional power plants.
EPRI's "Red Teams," as they're called, are just one element in an urgent campaign to shore up the security of U.S. infrastructure so as to safeguard the homeland from terrorist attacks -- both virtual and physical.
What are the factors that will determine how safe our world can be made? Here's a look at several, including some basic human qualities
Sometime in July, a team of hackers will try to break into the computer networks that run key utilities around the U.S. The strikes won't come from Islamic cyberterrorists -- who in recent days have been rumored to be planning such attacks themselves -- but rather from friendly teams of security analysts the Electric Power Research Institute has hired to find chinks in the armor of conventional power plants.
EPRI's "Red Teams," as they're called, are just one element in an urgent campaign to shore up the security of U.S. infrastructure so as to safeguard the homeland from terrorist attacks -- both virtual and physical.
Detecting and Containing IRC-Controlled Trojans:
This paper discusses IRC-based trojans as a distinctly underestimated class of malicious activity, and how real time security event monitoring is the key to identifying and containing similar compromises. It discusses the general methodology used to discover, track, and stop such malicious activity by presenting a real-world case study.
This paper discusses IRC-based trojans as a distinctly underestimated class of malicious activity, and how real time security event monitoring is the key to identifying and containing similar compromises. It discusses the general methodology used to discover, track, and stop such malicious activity by presenting a real-world case study.
Is your storage encrypted?
You're exposing yourself to significant risk as long as the data on your network (data in transit) and in your storage (data at rest) is not encrypted. That's what a paranoid security specialist will tell you.
Is it true? That depends on the sensitivity of your data and on any government regulations that require the data to be encrypted--in the healthcare industry, for example.
You're exposing yourself to significant risk as long as the data on your network (data in transit) and in your storage (data at rest) is not encrypted. That's what a paranoid security specialist will tell you.
Is it true? That depends on the sensitivity of your data and on any government regulations that require the data to be encrypted--in the healthcare industry, for example.
Building Your Appropriate Certificate-based Trust Mechanism for Secure Communications
The central issue facing the Internet today can be summarized in one word: trust. A number of companies endeavor to provide services to answer the question of trust – most commonly in the form of digital certificates – which are issued to both individuals and companies in various degrees of security. Certificates represent the concept of a “trusted third party” that is partly a software company, partly notary public and partly a local records office.
The central issue facing the Internet today can be summarized in one word: trust. A number of companies endeavor to provide services to answer the question of trust – most commonly in the form of digital certificates – which are issued to both individuals and companies in various degrees of security. Certificates represent the concept of a “trusted third party” that is partly a software company, partly notary public and partly a local records office.
Devise an intrusion response policy
Putting devices and software in place to protect networks from viruses and intrusions is the first and sometimes the easiest part of securing a network. But many admins overlook the next and more difficult step in the overall security process: establishing a policy for handling vulnerabilities, threats, and especially intrusions--attempted or successful.
In our Technical Q&A forums, TechRepublic member TomW recently asked for advice on what to do upon discovering a network intrusion: "Are there any templates or guidelines that would be useful to develop a policy/procedure(s) for what to do if and when an intrusion or intrusion attempt has been detected?"
Putting devices and software in place to protect networks from viruses and intrusions is the first and sometimes the easiest part of securing a network. But many admins overlook the next and more difficult step in the overall security process: establishing a policy for handling vulnerabilities, threats, and especially intrusions--attempted or successful.
In our Technical Q&A forums, TechRepublic member TomW recently asked for advice on what to do upon discovering a network intrusion: "Are there any templates or guidelines that would be useful to develop a policy/procedure(s) for what to do if and when an intrusion or intrusion attempt has been detected?"
LaBrea - The Tarpit
LaBrea is a program that creates a tarpit or, as some have called it, a "sticky honeypot". LaBrea takes over unused IP addresses on a network and creates "virtual machines" that answer to connection attempts. LaBrea answers those connection attempts in a way that causes the machine at the other end to get "stuck", sometimes for a very long time.
LaBrea is a program that creates a tarpit or, as some have called it, a "sticky honeypot". LaBrea takes over unused IP addresses on a network and creates "virtual machines" that answer to connection attempts. LaBrea answers those connection attempts in a way that causes the machine at the other end to get "stuck", sometimes for a very long time.
TUCOFS - The Ultimate Collection of Forensic Software
TUCOFS, or T.U.C.O.F.S., stands for The Ultimate Collection of Forensic Software. This site places all Law Enforcement Personnel in touch with the latest and greatest Internet based resources for High Tech Law Enforcement purposes. Resource types include files, sofware, websites and documentation. TUCOFS can be used as an index pointing you to various resources, allowing you to quickly find exactly what you are looking for.
TUCOFS, or T.U.C.O.F.S., stands for The Ultimate Collection of Forensic Software. This site places all Law Enforcement Personnel in touch with the latest and greatest Internet based resources for High Tech Law Enforcement purposes. Resource types include files, sofware, websites and documentation. TUCOFS can be used as an index pointing you to various resources, allowing you to quickly find exactly what you are looking for.
International Organisation on Computer Evidence
Proceedings of the IOCE 2002 Conference in Orlando, Florida and important links will be available shortly.
Proceedings of the IOCE 2002 Conference in Orlando, Florida and important links will be available shortly.
Part II: Advanced Encipherment Techniques
The previous paper in this series, Simple Encipherment Techniques, showed some elementary methods by which text messages could be enciphered. There are several weaknesses to these approaches as anyone who attempted the sample transpositions can appreciate. One of the chief weaknesses in any simple scheme is that all languages have charecteristics
The previous paper in this series, Simple Encipherment Techniques, showed some elementary methods by which text messages could be enciphered. There are several weaknesses to these approaches as anyone who attempted the sample transpositions can appreciate. One of the chief weaknesses in any simple scheme is that all languages have charecteristics
Encryption and Security Requirements for IETF Standard Protocols
It is the consensus of the IETF that IETF standard protocols MUST make use of appropriate strong security mechanisms. This document describes the history and rationale for this doctrine and establishes this doctrine as a best current practice.
It is the consensus of the IETF that IETF standard protocols MUST make use of appropriate strong security mechanisms. This document describes the history and rationale for this doctrine and establishes this doctrine as a best current practice.
Tuesday, July 09, 2002
Block ad/porn servers
This site contains a listing of many different Internet servers that can be placed into your hosts file for blocking ads and other means of unknowingly tracking you while you surf the net.
This site contains a listing of many different Internet servers that can be placed into your hosts file for blocking ads and other means of unknowingly tracking you while you surf the net.
Details of OpenSSH Vulnerability Revealed
On June 26, 2002, Internet Security Systems (ISS) revealed the details of a serious vulnerability in the OpenSSH security software. The disclosure comes several days earlier than expected. As reported in an earlier ExtremeTech article ("OpenSSH Hole Exposes Servers"), the OpenSSH project wanted to give administrators of vulnerable systems until July 1 to install a workaround before complete information about the vulnerability was released.
Had the timetable, proposed by OpenSSH developer Theo de Raadt, been followed, systems could have been "immunized" over the weekend before would-be intruders knew how to exploit the bug. But ISS jumped the gun, insisting upon releasing full details of the vulnerability half a week earlier. This puts unpatched systems at immediate risk.
On June 26, 2002, Internet Security Systems (ISS) revealed the details of a serious vulnerability in the OpenSSH security software. The disclosure comes several days earlier than expected. As reported in an earlier ExtremeTech article ("OpenSSH Hole Exposes Servers"), the OpenSSH project wanted to give administrators of vulnerable systems until July 1 to install a workaround before complete information about the vulnerability was released.
Had the timetable, proposed by OpenSSH developer Theo de Raadt, been followed, systems could have been "immunized" over the weekend before would-be intruders knew how to exploit the bug. But ISS jumped the gun, insisting upon releasing full details of the vulnerability half a week earlier. This puts unpatched systems at immediate risk.
Monday, July 08, 2002
Camera/Shy
Camera/Shy, a browser-based steganography application from HACKTIVISMO, will be released at the H2K2 Convention in New York City on July 13th. Camera/Shy was developed for democracy activists operating from behind national firewalls. It allows users to trade in banned content across the Internet. Camera/Shy is the debut release from Hacktivismo, a special operations group sponsored by the CULT OF THE DEAD COW. Hacktivismo offers technical solutions to the human rights community, and has over thirty associates from North America, Europe, Russia, Israel, Australia, Taiwan, and Korea.
"I’m really proud of everyone in the group", said Hacktivismo founder, Oxblood Ruffin. "They’ve made a commitment to bringing a Constitutional Toolkit to the Internet. And although not all of us are Americans, we share the fundamental ideals of the Constitution of the United States, especially freedom of speech. Camera/Shy is a small first step in sharing that privilege".
Camera/Shy will be released open source under the GNU General Public License. It is dedicated to the memory of Wang Ruowang, former doyen of the Chinese dissident community, a study in courage, and a lamp unto our feet.
CAMERA/SHY OVERVIEW
Sometimes hiding the truth is the best way to protect it, and yourself. Designed with the non-technical user in mind, Camera/Shy’s "one touch" encryption process delivers banned content across the Internet in seconds. Utilizing LSB steganographic techniques and AES-256 bit encryption
Camera/Shy, a browser-based steganography application from HACKTIVISMO, will be released at the H2K2 Convention in New York City on July 13th. Camera/Shy was developed for democracy activists operating from behind national firewalls. It allows users to trade in banned content across the Internet. Camera/Shy is the debut release from Hacktivismo, a special operations group sponsored by the CULT OF THE DEAD COW. Hacktivismo offers technical solutions to the human rights community, and has over thirty associates from North America, Europe, Russia, Israel, Australia, Taiwan, and Korea.
"I’m really proud of everyone in the group", said Hacktivismo founder, Oxblood Ruffin. "They’ve made a commitment to bringing a Constitutional Toolkit to the Internet. And although not all of us are Americans, we share the fundamental ideals of the Constitution of the United States, especially freedom of speech. Camera/Shy is a small first step in sharing that privilege".
Camera/Shy will be released open source under the GNU General Public License. It is dedicated to the memory of Wang Ruowang, former doyen of the Chinese dissident community, a study in courage, and a lamp unto our feet.
CAMERA/SHY OVERVIEW
Sometimes hiding the truth is the best way to protect it, and yourself. Designed with the non-technical user in mind, Camera/Shy’s "one touch" encryption process delivers banned content across the Internet in seconds. Utilizing LSB steganographic techniques and AES-256 bit encryption
TCPIP: A Mammoth Description
TCPIP or Transmission Control Protocol Internet Protocol is a stack or collection of various protocols. A protocol is basically the commands or instructions using which two computers within a local network or the Internet can exchange data or information and resources.
TCPIP or Transmission Control Protocol Internet Protocol is a stack or collection of various protocols. A protocol is basically the commands or instructions using which two computers within a local network or the Internet can exchange data or information and resources.
Backround information on email security
This white paper provides useful background information on email security issues. It will help you examine the security threats facing your corporate email system and determine what kind of email security solution your company needs.
This white paper provides useful background information on email security issues. It will help you examine the security threats facing your corporate email system and determine what kind of email security solution your company needs.
Nikto
Nikto is a web server scanner which performs comprehensive tests against web servers for multiple items, including over 1500 potentially dangerous files/CGIs, versions on over 110 products/CGIs, and reports details on over 160 products/CGIs. Scan items are updated multiple times per week and can be automatically updated (if desired).
Nikto is a web server scanner which performs comprehensive tests against web servers for multiple items, including over 1500 potentially dangerous files/CGIs, versions on over 110 products/CGIs, and reports details on over 160 products/CGIs. Scan items are updated multiple times per week and can be automatically updated (if desired).
Thursday, July 04, 2002
Please sir, can we have the summit security papers back?
“THERE are some people here to see you, sir,” the Canadian official said.
Outside the press building at the G8 summit yesterday stood a secret service special agent, a Mountie, and an off-duty Canadian policeman in T-shirt and shorts. All looked rather sheepish.
Could I give them back a secret 134-page document detailing security at the G8 summit, they asked? I had found the document, marked “confidential”, on a boulder in a busy picnic area close to the summit headquarters the previous day. Had it fallen into other hands the safety of Tony Blair, George Bush and other world leaders could have been jeopardised.
It lay open at a page detailing the security protocols for the arrival of each of the world leaders at Calgary airport on Tuesday night.
It showed the seating plans inside Tony Blair’s helicopter, including the locations of security guards and Alastair Campbell, his communications chief. It also contained secret phone numbers of each leader’s Canadian liaison officers, who were responsible for organising the arrival and departure of each President and Prime Minister.
It contained diagrams of the meeting rooms where the leaders held their working groups, lunches and dinners. The room plans showed where each leader sat and where windows were positioned, to help security guards to protect the G8 leaders against the threat of sniper fire and other attacks from outside.
Dozens more pages gave a minute-by-minute account of each leader
“THERE are some people here to see you, sir,” the Canadian official said.
Outside the press building at the G8 summit yesterday stood a secret service special agent, a Mountie, and an off-duty Canadian policeman in T-shirt and shorts. All looked rather sheepish.
Could I give them back a secret 134-page document detailing security at the G8 summit, they asked? I had found the document, marked “confidential”, on a boulder in a busy picnic area close to the summit headquarters the previous day. Had it fallen into other hands the safety of Tony Blair, George Bush and other world leaders could have been jeopardised.
It lay open at a page detailing the security protocols for the arrival of each of the world leaders at Calgary airport on Tuesday night.
It showed the seating plans inside Tony Blair’s helicopter, including the locations of security guards and Alastair Campbell, his communications chief. It also contained secret phone numbers of each leader’s Canadian liaison officers, who were responsible for organising the arrival and departure of each President and Prime Minister.
It contained diagrams of the meeting rooms where the leaders held their working groups, lunches and dinners. The room plans showed where each leader sat and where windows were positioned, to help security guards to protect the G8 leaders against the threat of sniper fire and other attacks from outside.
Dozens more pages gave a minute-by-minute account of each leader
I Told You So
Let's concentrate on the Microsoft story. Last August, I wrote of a rumor that Microsoft wanted to replace TCP/IP with a proprietary protocol -- a protocol owned by Microsoft -- that it would tout as being more secure. Actually, the new protocol would likely be TCP/IP with some of the reserved fields used as pointers to proprietary extensions, quite similar to Vines IP, if you remember that product from Banyan Systems. I called it TCP/MS in the column. How do you push for the acceptance of such a protocol? First, make the old one unworkable by placing millions of exploitable TCP/IP stacks out on the Net, ready-to-use by any teenage sociopath. When the Net slows or crashes, the blame would not be assigned to Microsoft. Then ship the new protocol with every new copy of Windows, and install it with every Windows Update over the Internet. Zero to 100 million copies could happen in less than a year.
This week, Microsoft announced Palladium through an exclusive story in Newsweek written by Steven Levy, who ought to have known better. Palladium is the code name for a Microsoft project to make all Internet communication safer by essentially pasting a digital certificate on every application, message, byte, and machine on the Net, then encrypting the data EVEN INSIDE YOUR COMPUTER PROCESSOR. Palladium compatible hardware (presumably chipsets and motherboards) will come from both AMD and Intel, and the software will, of course, come from Microsoft. That software is w
Let's concentrate on the Microsoft story. Last August, I wrote of a rumor that Microsoft wanted to replace TCP/IP with a proprietary protocol -- a protocol owned by Microsoft -- that it would tout as being more secure. Actually, the new protocol would likely be TCP/IP with some of the reserved fields used as pointers to proprietary extensions, quite similar to Vines IP, if you remember that product from Banyan Systems. I called it TCP/MS in the column. How do you push for the acceptance of such a protocol? First, make the old one unworkable by placing millions of exploitable TCP/IP stacks out on the Net, ready-to-use by any teenage sociopath. When the Net slows or crashes, the blame would not be assigned to Microsoft. Then ship the new protocol with every new copy of Windows, and install it with every Windows Update over the Internet. Zero to 100 million copies could happen in less than a year.
This week, Microsoft announced Palladium through an exclusive story in Newsweek written by Steven Levy, who ought to have known better. Palladium is the code name for a Microsoft project to make all Internet communication safer by essentially pasting a digital certificate on every application, message, byte, and machine on the Net, then encrypting the data EVEN INSIDE YOUR COMPUTER PROCESSOR. Palladium compatible hardware (presumably chipsets and motherboards) will come from both AMD and Intel, and the software will, of course, come from Microsoft. That software is w
A look at six popular personal firewall products for Windows machines
All you want to do is use your computer to do your job, play games, learn, buy, and surf the Web. You don’t want to worry about malicious intruders, port scans, Trojan horses, worms, and all the other mischievous stuff that hunts your computer. You shouldn’t have to worry, but you must; thousands of malicious programs exist solely to break into your PC. That’s where personal firewalls come in. Personal firewalls are software programs you install on the PCs they protect. More expensive hardware-based and corporate firewalls protect entire networks, cost more than personal firewalls, and usually aren’t as user-friendly. Personal firewalls are designed to keep the bad guys and programs out of your PC. The best-of-breed will keep malicious intruders outside your PC, turn away their unwanted probes, and prevent bad programs that have already staked a claim on your PC from doing further damage.
All you want to do is use your computer to do your job, play games, learn, buy, and surf the Web. You don’t want to worry about malicious intruders, port scans, Trojan horses, worms, and all the other mischievous stuff that hunts your computer. You shouldn’t have to worry, but you must; thousands of malicious programs exist solely to break into your PC. That’s where personal firewalls come in. Personal firewalls are software programs you install on the PCs they protect. More expensive hardware-based and corporate firewalls protect entire networks, cost more than personal firewalls, and usually aren’t as user-friendly. Personal firewalls are designed to keep the bad guys and programs out of your PC. The best-of-breed will keep malicious intruders outside your PC, turn away their unwanted probes, and prevent bad programs that have already staked a claim on your PC from doing further damage.
Guard Your Data with Kerberos
All security operations in SQL Server depend on the twin processes of authentication and authorization. If the server doesn't have total confidence in the user's identity and, thus, can't be sure of the permissions a user has, all attempts to control access to data fail. Microsoft has long preferred Windows NT authenticated logins over SQL Server authenticated logins because Windows has more effective mechanisms for verifying users' identities than just comparing an account and password combination. Kerberos authentication, the default authentication protocol in Windows 2000, improves on NT's authentication protocol in several ways and offers identification of both the client and the server. Let's look briefly at how Kerberos works, then examine how you can use its features to guard the data on your SQL Server 2000 servers. Note that you have to be running SQL Server 2000 on Win2K to use Kerberos; I cover the requirements in detail later.
All security operations in SQL Server depend on the twin processes of authentication and authorization. If the server doesn't have total confidence in the user's identity and, thus, can't be sure of the permissions a user has, all attempts to control access to data fail. Microsoft has long preferred Windows NT authenticated logins over SQL Server authenticated logins because Windows has more effective mechanisms for verifying users' identities than just comparing an account and password combination. Kerberos authentication, the default authentication protocol in Windows 2000, improves on NT's authentication protocol in several ways and offers identification of both the client and the server. Let's look briefly at how Kerberos works, then examine how you can use its features to guard the data on your SQL Server 2000 servers. Note that you have to be running SQL Server 2000 on Win2K to use Kerberos; I cover the requirements in detail later.
Microsoft's Secret Plan to Secure the PC
You've heard of Trustworthy Computing, and the massive corporate remodeling going on at Microsoft where every developer, product manager, and executive assistant has been asked to rethink everything they do in the context of security. Well, that's just the tip of the iceberg. Secretly, the company has been working on a plan to rearchitect the PC from the ground up, to address the security, privacy, and intellectual property theft issues that dog the industry today. Inexplicably, the company pulled an Apple and chose to detail its plans solely to Newsweek, so we only have that one report to work from. But if Newsweek's take on the plan is correct, and consumers and businesses buy into the new devices that would result, the PC landscape will soon change forever.
The plan is code-named Palladium, a reference to a statue of the Greek goddess Athena that one guarded ancient Troy from attack. Palladium involves a number of hardware and software solutions that will, in part, be implemented as part of a future Windows version--possibly Longhorn, due in 2004--that requires specific hardware to work. "This isn't just about solving problems, but expanding new realms of possibilities in the way people live and work with computers," says product manager Mario Juarez.
You've heard of Trustworthy Computing, and the massive corporate remodeling going on at Microsoft where every developer, product manager, and executive assistant has been asked to rethink everything they do in the context of security. Well, that's just the tip of the iceberg. Secretly, the company has been working on a plan to rearchitect the PC from the ground up, to address the security, privacy, and intellectual property theft issues that dog the industry today. Inexplicably, the company pulled an Apple and chose to detail its plans solely to Newsweek, so we only have that one report to work from. But if Newsweek's take on the plan is correct, and consumers and businesses buy into the new devices that would result, the PC landscape will soon change forever.
The plan is code-named Palladium, a reference to a statue of the Greek goddess Athena that one guarded ancient Troy from attack. Palladium involves a number of hardware and software solutions that will, in part, be implemented as part of a future Windows version--possibly Longhorn, due in 2004--that requires specific hardware to work. "This isn't just about solving problems, but expanding new realms of possibilities in the way people live and work with computers," says product manager Mario Juarez.
cqure.net/The SMBProxy Tool
Got SAM ? Don't want to spend more time cracking it ?
SMBProxy is a "Passing The Hash" tool that works as a proxy.It makes it possible to authenticate to a Windows NT4/2000server by only knowing the md4 hash. It also makes itpossible to mount shares, access the registry and anythingelse you could do with that particular users privileges. The theory behind this is pretty old, and I don't take any credit for it. The tools for doing this though, have been quite limited. That's why I decided to release this proxy, to really demonstrate the magic of "Passing The Hash".
It succesfully intercepts communication with Windows NT 4.0 and Windows 2000. It looks for the username trying to connect and does a lookup in the pwdump file for the users hash. Currently it only intercepts the NTLM hash. It's still in early development stages but seems to work good enough to release.
Got SAM ? Don't want to spend more time cracking it ?
SMBProxy is a "Passing The Hash" tool that works as a proxy.It makes it possible to authenticate to a Windows NT4/2000server by only knowing the md4 hash. It also makes itpossible to mount shares, access the registry and anythingelse you could do with that particular users privileges. The theory behind this is pretty old, and I don't take any credit for it. The tools for doing this though, have been quite limited. That's why I decided to release this proxy, to really demonstrate the magic of "Passing The Hash".
It succesfully intercepts communication with Windows NT 4.0 and Windows 2000. It looks for the username trying to connect and does a lookup in the pwdump file for the users hash. Currently it only intercepts the NTLM hash. It's still in early development stages but seems to work good enough to release.
Wednesday, July 03, 2002
Technology Secrets of Cocaine Inc.
Colombian cartels have spent billions of dollars to build one of the world's most sophisticated IT infrastructures. It's helping them smuggle more dope than ever before.
On a rainy night eight years ago in the Colombian city of Cali, crack counter-narcotics troops swarmed over the first floor of a low-rise condominium complex in an upscale neighborhood. They found no drugs or guns. But what they did find sent shudders through law enforcement and intelligence circles around the world.
The building was owned by a front man for Cali cocaine cartel leader José Santacruz Londono. Inside was a computer center, manned in shifts around the clock by four to six technicians. The central feature of the facility was a $1.5 million IBM AS400 mainframe, the kind once used by banks, networked with half a dozen terminals and monitors.
According to former and current DEA, military, and State Department officials, the cartel had assembled a database that contained both the office and residential telephone numbers of U.S. diplomats and agents based in Colombia, along with the entire call log for the phone company in Cali, which was leaked by employees of the utility. The mainframe was loaded with custom-written data-mining software. It cross-referenced the Cali phone exchange's traffic with the phone numbers of American personnel and Colombian intelligence and law enforcement officials. The computer was essentially conducting a perpetual internal mole-hunt of the cartel's organizational chart. "They could correlate phone numbers, personalities, locations -- any way you want to cut it," says the former director of a law enforcement agency. "Santacruz could see if any of his lieutenants were spilling the beans."
Colombian cartels have spent billions of dollars to build one of the world's most sophisticated IT infrastructures. It's helping them smuggle more dope than ever before.
On a rainy night eight years ago in the Colombian city of Cali, crack counter-narcotics troops swarmed over the first floor of a low-rise condominium complex in an upscale neighborhood. They found no drugs or guns. But what they did find sent shudders through law enforcement and intelligence circles around the world.
The building was owned by a front man for Cali cocaine cartel leader José Santacruz Londono. Inside was a computer center, manned in shifts around the clock by four to six technicians. The central feature of the facility was a $1.5 million IBM AS400 mainframe, the kind once used by banks, networked with half a dozen terminals and monitors.
According to former and current DEA, military, and State Department officials, the cartel had assembled a database that contained both the office and residential telephone numbers of U.S. diplomats and agents based in Colombia, along with the entire call log for the phone company in Cali, which was leaked by employees of the utility. The mainframe was loaded with custom-written data-mining software. It cross-referenced the Cali phone exchange's traffic with the phone numbers of American personnel and Colombian intelligence and law enforcement officials. The computer was essentially conducting a perpetual internal mole-hunt of the cartel's organizational chart. "They could correlate phone numbers, personalities, locations -- any way you want to cut it," says the former director of a law enforcement agency. "Santacruz could see if any of his lieutenants were spilling the beans."
Simple encipherment techniques
This is the first article in what is planned to be a three article series on the subject of cryptography.
This is the first article in what is planned to be a three article series on the subject of cryptography.
Overview of the dangers of buggy code and resulting security issues.
Since the beginning of programming there have been errors, failures, and outright blunders that have occurred due to a lack of proper coding.
Faulty and unreliable code is a danger in general. Just about every organization and corporation that deals with programming of software, or hardware, has experienced it to a degree, some to a much more obtuse range than others.
The fact is faulty code is dangerous not only to security, but to people. NASA as well as the European Space Agency have had problems with launching rockets (some to the point of harming crew members) due to faulty and improperly finished code. As well as a lack of proper implementation (another issue, but not the topic of this article).
Microsoft has been dealing with unreliable code for years (and not just theirs mind you). As have most commercial companies. It’s a fact that it is a serious, but unfortunately, fairly lightly addressed issue.
Now, this article will focus on the dangers of faulty, unreliable, and even partially unfinished code to security, as well as malicious code, such as that used in buffer overflow attacks, that could take advantage of it.
Since the beginning of programming there have been errors, failures, and outright blunders that have occurred due to a lack of proper coding.
Faulty and unreliable code is a danger in general. Just about every organization and corporation that deals with programming of software, or hardware, has experienced it to a degree, some to a much more obtuse range than others.
The fact is faulty code is dangerous not only to security, but to people. NASA as well as the European Space Agency have had problems with launching rockets (some to the point of harming crew members) due to faulty and improperly finished code. As well as a lack of proper implementation (another issue, but not the topic of this article).
Microsoft has been dealing with unreliable code for years (and not just theirs mind you). As have most commercial companies. It’s a fact that it is a serious, but unfortunately, fairly lightly addressed issue.
Now, this article will focus on the dangers of faulty, unreliable, and even partially unfinished code to security, as well as malicious code, such as that used in buffer overflow attacks, that could take advantage of it.
Tuesday, July 02, 2002
New IE spy progie exploits DCOM
A group of Japanese security enthusiasts has developed a little tool called IE'en which exposes traffic between an IE user and any server he's contacting, including logins and passwords over HTTPS.
What's interesting here is the ability to capture packets between the client and server by exploiting DCOM (Distributed Component Object Model), a Microsoft program interface allowing the mediation and exchange of program and data objects over a network, similar to CORBA.
A group of Japanese security enthusiasts has developed a little tool called IE'en which exposes traffic between an IE user and any server he's contacting, including logins and passwords over HTTPS.
What's interesting here is the ability to capture packets between the client and server by exploiting DCOM (Distributed Component Object Model), a Microsoft program interface allowing the mediation and exchange of program and data objects over a network, similar to CORBA.
Monday, July 01, 2002
www.forensic-computing.co.uk
This web site is owned by a forensic computing professional, who wanted a UK resource to be available to colleagues. This is not a commercial site, nor is it associated with any particular agency or organisation; government or otherwise. The site will not endorse any particular commercial services or products, and has nothing to sell.
We hope to provide the forensic computing community with links to resources and promote good practice in all that we do.
This web site is owned by a forensic computing professional, who wanted a UK resource to be available to colleagues. This is not a commercial site, nor is it associated with any particular agency or organisation; government or otherwise. The site will not endorse any particular commercial services or products, and has nothing to sell.
We hope to provide the forensic computing community with links to resources and promote good practice in all that we do.
Technology Pathways LLC
Technology Pathways, LLC is a leading developer of computer forensics software and solutions. We are committed to providing our customers with the best quality products and services available.
ProDiscover™ DFT is our flagship product allowing computer forensics investigators to streamline evidence acquisition, analysis and reporting.
Technology Pathways, LLC is a leading developer of computer forensics software and solutions. We are committed to providing our customers with the best quality products and services available.
ProDiscover™ DFT is our flagship product allowing computer forensics investigators to streamline evidence acquisition, analysis and reporting.
The Open Web Application Security Project
The Open Web Application Security Project (OWASP) is an Open Source community project staffed entirely by volunteers from across the world. The project is developing software tools and knowledge based documentation that helps people secure web applications and web services.
The Open Web Application Security Project (OWASP) is an Open Source community project staffed entirely by volunteers from across the world. The project is developing software tools and knowledge based documentation that helps people secure web applications and web services.
Proxy Tunneling Engine Class for C++
Tunneling proxy (also known as 'Proxy Chaining') servers is a kinda old technique, but effective way to make yourself hard to trace. Even if you tunnel with 5 proxies deep it would be a hell of a job to find out the attackers real IP.
I'm not going to explain how this technique works because there are enough docs about this on the Net.
One of the reason is that most proxy servers are misconfigured so they dont even log you request.
The class code below allows you to expand your private tools or other code projects to support proxy tunneling by simply setting some parameters, like the path to your proxy file.
Tunneling proxy (also known as 'Proxy Chaining') servers is a kinda old technique, but effective way to make yourself hard to trace. Even if you tunnel with 5 proxies deep it would be a hell of a job to find out the attackers real IP.
I'm not going to explain how this technique works because there are enough docs about this on the Net.
One of the reason is that most proxy servers are misconfigured so they dont even log you request.
The class code below allows you to expand your private tools or other code projects to support proxy tunneling by simply setting some parameters, like the path to your proxy file.
Seven Common SSL Pitfalls
SSL is an excellent protocol. Like many tools, it is effective if you know how to use it well, but it is also easy to misuse. If you are deploying SSL, there are many pitfalls to be aware of, but with a little work, most can be avoided. In this article, we discuss the seven most common pitfalls when deploying SSL-enabled applications with OpenSSL.
SSL is an excellent protocol. Like many tools, it is effective if you know how to use it well, but it is also easy to misuse. If you are deploying SSL, there are many pitfalls to be aware of, but with a little work, most can be avoided. In this article, we discuss the seven most common pitfalls when deploying SSL-enabled applications with OpenSSL.
FallenCrew E-mail Tracking
The main purpose of this service is to allow tracking of the emails you sent from our online mailing service. Tracking in this sense means knowing if and when the recipient read your email and how many times it was opened.
The main purpose of this service is to allow tracking of the emails you sent from our online mailing service. Tracking in this sense means knowing if and when the recipient read your email and how many times it was opened.
Thursday, June 27, 2002
How the Secret Service polices the Net
Trained in martial arts, sworn to secrecy, famous for high-tech earplugs and icy stares, the oldest law enforcement agency in the federal government, the U.S. Secret Service, is now protecting our national interests online.
Trained in martial arts, sworn to secrecy, famous for high-tech earplugs and icy stares, the oldest law enforcement agency in the federal government, the U.S. Secret Service, is now protecting our national interests online.
Wednesday, June 26, 2002
FTP Dumpsites: A primer
Well, Ok a dumpsite would consist of a FTP Server in which you can store and download files that you may want to download or upload too. Now, these pubs/dumpsites are usually private and only a few knows about it.. BUT, if the word is out that someone found a pub with many, many sources of software you just HIT THE JACKPOT!! it's usually hard to find pubs/dumpsites like this because usually the dumpsite is from a "legitimate" company that stores this kind of warez very deep deep deep underground materials that no else is suppose to know, you know what I'm saying? cause if these companies get caught with any kind of underground warez, these companies could loose there business or even go to jail for storing illegal copies of softwares in there company server..... Now, I'll add a little bit more this post if I may. To scan for dumpsites and pubs that you may want to check out.. but, be careful.. you "yourself" can get caught also.. - Just a bit of warning...
Well, Ok a dumpsite would consist of a FTP Server in which you can store and download files that you may want to download or upload too. Now, these pubs/dumpsites are usually private and only a few knows about it.. BUT, if the word is out that someone found a pub with many, many sources of software you just HIT THE JACKPOT!! it's usually hard to find pubs/dumpsites like this because usually the dumpsite is from a "legitimate" company that stores this kind of warez very deep deep deep underground materials that no else is suppose to know, you know what I'm saying? cause if these companies get caught with any kind of underground warez, these companies could loose there business or even go to jail for storing illegal copies of softwares in there company server..... Now, I'll add a little bit more this post if I may. To scan for dumpsites and pubs that you may want to check out.. but, be careful.. you "yourself" can get caught also.. - Just a bit of warning...
Tuesday, June 25, 2002
Early Bird: Realtime HTTP Worm Intrusion Attempt Notification Utility
After seeing innumerable HTTP worm exploit attempts on several non-IIS systems I maintain (and after tiring of generating reports to send off to multiple ISPs regarding multiple breaches on their networks, only to see the scans continue unabated days later), I decided to automate the notification process on a transactional basis. Early Bird is the end product of that goal.
After seeing innumerable HTTP worm exploit attempts on several non-IIS systems I maintain (and after tiring of generating reports to send off to multiple ISPs regarding multiple breaches on their networks, only to see the scans continue unabated days later), I decided to automate the notification process on a transactional basis. Early Bird is the end product of that goal.
Honeypots: Definitions and Value
Over the past several years there has been a growing interest in honeypots and honeypot related technologies. Honeypots are not a new technology, they were first explained by a couple of very good papers by several icons in computer security, Cliff Stoll's book the Cuckoo's Egg", and Bill Cheswick's paper "An Evening with Berferd." This paper attempts to take their work further and discuss what honeypots are, how they can add value to an organization, and several honeypot solutions. There are a variety of misconceptions on what a honeypot is, how it works, and how it adds value. It is hoped this paper helps clear up those issues. Also, few people realize the risk and issues involved with honeypots. Though honeypots can add value, the time and resources involved may best focused on greater priorities.
Over the past several years there has been a growing interest in honeypots and honeypot related technologies. Honeypots are not a new technology, they were first explained by a couple of very good papers by several icons in computer security, Cliff Stoll's book the Cuckoo's Egg", and Bill Cheswick's paper "An Evening with Berferd." This paper attempts to take their work further and discuss what honeypots are, how they can add value to an organization, and several honeypot solutions. There are a variety of misconceptions on what a honeypot is, how it works, and how it adds value. It is hoped this paper helps clear up those issues. Also, few people realize the risk and issues involved with honeypots. Though honeypots can add value, the time and resources involved may best focused on greater priorities.
Monday, June 24, 2002
How to Find Encryption Code in a Target (A Heuristic Approach)
Here's a little piece on how to recognize crypto code when you see it. This can help whether you're trying to break password protection, write a keygen, or understand a protocol.
Here's a little piece on how to recognize crypto code when you see it. This can help whether you're trying to break password protection, write a keygen, or understand a protocol.
Using OpenLDAP For Authentication
User authentication for logins is generally a no brainer. You setup users on the local system and off you go... nothing to it. However, if you're on a LAN and you want to have a centralized "repository" of users, you will likely be looking at some method of distributing user information across the LAN. This has a few distinct advantages, the primary being all user authentication is centralized. This means that users have the same password on each system in the LAN, and if they change their password, the password is seamlessly changed everywhere. This provides the advantage of giving consistency to user authentication on the LAN. Users retain the same userid, groupid, password, and other information. This can be problematic if you assign users different levels of access on different machines, but if you permit the same access on all systems, this is an easy way to do it. Regardless, with sudo, you can fine-tune privileged access on a host-by-host basis as well.
User authentication for logins is generally a no brainer. You setup users on the local system and off you go... nothing to it. However, if you're on a LAN and you want to have a centralized "repository" of users, you will likely be looking at some method of distributing user information across the LAN. This has a few distinct advantages, the primary being all user authentication is centralized. This means that users have the same password on each system in the LAN, and if they change their password, the password is seamlessly changed everywhere. This provides the advantage of giving consistency to user authentication on the LAN. Users retain the same userid, groupid, password, and other information. This can be problematic if you assign users different levels of access on different machines, but if you permit the same access on all systems, this is an easy way to do it. Regardless, with sudo, you can fine-tune privileged access on a host-by-host basis as well.
Evil Tips and Tricks
Working as a desktop technician in the computer industry for a few years gives you a pretty good insight about what the average user knows and doesn't know. On the other hand, you get to learn what the other technicians you work with know and don't know as well. Since the day-to-day PC fixes get rather boring and repetitive after a certain amount of time, you must do something that still makes the job fun. Where I work, we would play evil computer tricks on each other to help make everyone's day just a little brighter. Not only is it fun to watch people squirm trying to figure out what has been done to their PC, it's also a very educational process for the person that has to fix it.
I am going to list some of the tricks we have played on each other over the years. The tips and tricks listed in this article are for informational and educational purposes only.
Working as a desktop technician in the computer industry for a few years gives you a pretty good insight about what the average user knows and doesn't know. On the other hand, you get to learn what the other technicians you work with know and don't know as well. Since the day-to-day PC fixes get rather boring and repetitive after a certain amount of time, you must do something that still makes the job fun. Where I work, we would play evil computer tricks on each other to help make everyone's day just a little brighter. Not only is it fun to watch people squirm trying to figure out what has been done to their PC, it's also a very educational process for the person that has to fix it.
I am going to list some of the tricks we have played on each other over the years. The tips and tricks listed in this article are for informational and educational purposes only.
Mind Games - Social Engineering
This small article is a brief overview on social engineering. It talks a bit about the psychology of social engineering, the security threat it imposes and about the methods used for it. Basically, this article is a summary that covers the important facts (from my point of view) about social engineering.
This small article is a brief overview on social engineering. It talks a bit about the psychology of social engineering, the security threat it imposes and about the methods used for it. Basically, this article is a summary that covers the important facts (from my point of view) about social engineering.
Warning over password security
Computer users are being urged to change their passwords regularly to avoid becoming a victim of internet fraud. Experts say that passwords used to log onto the internet and access confidential information such as bank details should be altered at least once a month, both at home and at work.
iSafeguard Security Suite for Windows
"iSafeguard Security Suite for Windows is a software product that brings the latest PKI technologies to you to protect your files stored on your computer or on an Internet storage, to protect the privacy of your electronic mail, and to sign your documents with tamper-proof digital signature to prevent someone from forging a document and then claiming that you are the author of it, or from modifying a document after you’ve signed it and then claiming that the modified document is really the original that you signed.
"The following is a list of features: 1. Create your own digital certificates; 2. Digitally sign and encrypt your files; 3. Digitally sign and encrypt your emails; 4. Verify digital signatures; 5. Secure text editor; 6. Securely wipe files; 7. Securely wipe disk free space; 8. Creating and extracting PKI. protected archive files 9. Creating and extracting password protected self extracting archive files; 10. Creating and extracting standard ZIP archive files; 11. And more..."
"iSafeguard Security Suite for Windows is a software product that brings the latest PKI technologies to you to protect your files stored on your computer or on an Internet storage, to protect the privacy of your electronic mail, and to sign your documents with tamper-proof digital signature to prevent someone from forging a document and then claiming that you are the author of it, or from modifying a document after you’ve signed it and then claiming that the modified document is really the original that you signed.
"The following is a list of features: 1. Create your own digital certificates; 2. Digitally sign and encrypt your files; 3. Digitally sign and encrypt your emails; 4. Verify digital signatures; 5. Secure text editor; 6. Securely wipe files; 7. Securely wipe disk free space; 8. Creating and extracting PKI. protected archive files 9. Creating and extracting password protected self extracting archive files; 10. Creating and extracting standard ZIP archive files; 11. And more..."
Sunday, June 23, 2002
WORKING WITH DONGLES
Well, here we are going to crack a dongle, better the dongle check. the dongle itself is normally very good protected -> so it's not a good idea to try to crack the dongle itself. that means to patch the dongle driver or to emulate the dongle is something for very advanced crackers :)
Well, here we are going to crack a dongle, better the dongle check. the dongle itself is normally very good protected -> so it's not a good idea to try to crack the dongle itself. that means to patch the dongle driver or to emulate the dongle is something for very advanced crackers :)
BIOS hacking 4 all
This document will tell all those interested how to get into the BIOS ,extract its password,reset it or exploit it to cause possible hardware damage or a non bootable computer . It has been written for user's with very less knowledge of computers so here it goes ...
This document will tell all those interested how to get into the BIOS ,extract its password,reset it or exploit it to cause possible hardware damage or a non bootable computer . It has been written for user's with very less knowledge of computers so here it goes ...
How to find hidden cameras
The following link is for a recent and interesting 36 page essay on how to find hidden cameras.
The following link is for a recent and interesting 36 page essay on how to find hidden cameras.
SANS Institute: Information Security Reading Room
Welcome to the SANS Institute's Information Security Reading Room, featuring over 1300 articles in 63 different categories.
Welcome to the SANS Institute's Information Security Reading Room, featuring over 1300 articles in 63 different categories.
Friday, June 21, 2002
Core makes an Impact
PENETRATION TESTING is a standard method for evaluating an organization's network security posture. These assessments can be performed from the standpoint of a malicious insider on the corporate network or a malicious outsider trying to compromise systems from the Internet. Some organizations perform these tests internally, but most hire outside consulting firms.
In either case, because there is no standard method of performing a penetration test, the quality of the results depends to a great extent on the knowledge and skill of the penetration testers on the job that day. Core Security Technologies has addressed this problem with Impact, a penetration testing framework that allows organizations to share knowledge and provide consistency across testing engagements. Its ease of use, innovation, and flexibility earned it a Deploy rating in our tests.
PENETRATION TESTING is a standard method for evaluating an organization's network security posture. These assessments can be performed from the standpoint of a malicious insider on the corporate network or a malicious outsider trying to compromise systems from the Internet. Some organizations perform these tests internally, but most hire outside consulting firms.
In either case, because there is no standard method of performing a penetration test, the quality of the results depends to a great extent on the knowledge and skill of the penetration testers on the job that day. Core Security Technologies has addressed this problem with Impact, a penetration testing framework that allows organizations to share knowledge and provide consistency across testing engagements. Its ease of use, innovation, and flexibility earned it a Deploy rating in our tests.
Thursday, June 20, 2002
PGP Encryption Explained
Atfer I was asked to write a short tutorial on PGP / Encryption and E-mail security for newbies, I did what all writers do in such a case,I started to do some research. Because although I have been working with PGP for quite some years now, one can never know everything. I was going to write about PGP, so the best place to start seemed to be the official PGP manual that comes with the PGP software. But, after reading the first few pages of the official manual I came to the conclusion that the people of Network Associates have done a great job in making the official manual simple and easily understandable for anyone without any sort of knowledge of or experience with, encryption. So why would I write another tutorial aboutit then? That's what I asked myself. Why do all this work when someone hasdone it already? Well, first of all, I could just point the official manual out to you guys, and tell you to read it, but then most of you probablywouldn't, and second of all, that would leave the Neworder newsletter (for which this tutorial is originally written) without an article. Then what? Well I could just copy everything that's in the official manual, but that's not like me, and no-one would benefit from that. However, I decided to write the tutorial anyway. The basic introduction to Chryptography might have some resemblances to the PGP official manual, but hey... that's quite normal since both documents are about PGP ;-) In the rest o
Atfer I was asked to write a short tutorial on PGP / Encryption and E-mail security for newbies, I did what all writers do in such a case,I started to do some research. Because although I have been working with PGP for quite some years now, one can never know everything. I was going to write about PGP, so the best place to start seemed to be the official PGP manual that comes with the PGP software. But, after reading the first few pages of the official manual I came to the conclusion that the people of Network Associates have done a great job in making the official manual simple and easily understandable for anyone without any sort of knowledge of or experience with, encryption. So why would I write another tutorial aboutit then? That's what I asked myself. Why do all this work when someone hasdone it already? Well, first of all, I could just point the official manual out to you guys, and tell you to read it, but then most of you probablywouldn't, and second of all, that would leave the Neworder newsletter (for which this tutorial is originally written) without an article. Then what? Well I could just copy everything that's in the official manual, but that's not like me, and no-one would benefit from that. However, I decided to write the tutorial anyway. The basic introduction to Chryptography might have some resemblances to the PGP official manual, but hey... that's quite normal since both documents are about PGP ;-) In the rest o
What Really Is ‘Forensics’?
It's several years later, and now every security professional services company 'does forensics.' Trouble is, they still all define it differently. When it comes to seeking help in digital forensics and incident investigation it absolutely is a 'buyer beware' market. I have heard of very reputable, high-level training for one of the most important certifications in our business that absolutely has it wrong in how we should perform such basic forensic functions as collecting an image from a computer under investigation. The training teaches (and, presumably, the test requires), as an example that you do things in the computer shutdown process that no experienced forensic professional would ever do.
It's several years later, and now every security professional services company 'does forensics.' Trouble is, they still all define it differently. When it comes to seeking help in digital forensics and incident investigation it absolutely is a 'buyer beware' market. I have heard of very reputable, high-level training for one of the most important certifications in our business that absolutely has it wrong in how we should perform such basic forensic functions as collecting an image from a computer under investigation. The training teaches (and, presumably, the test requires), as an example that you do things in the computer shutdown process that no experienced forensic professional would ever do.
Echelog
Echelog is a distributed agent/server system. Agents are installed on monitored computers and they are actively monitoring them (logged on users, running processes, network connections, system logs... whatever) and sending gathered data to a server (or more of them). The communication between agents and server is trusted - secured and authenticated (SSL/certificates). Server receives data, process it and stores it. Later you can browse through the log (simple commandline tools or web frontend).
Echelog is a distributed agent/server system. Agents are installed on monitored computers and they are actively monitoring them (logged on users, running processes, network connections, system logs... whatever) and sending gathered data to a server (or more of them). The communication between agents and server is trusted - secured and authenticated (SSL/certificates). Server receives data, process it and stores it. Later you can browse through the log (simple commandline tools or web frontend).
Understanding Network Encryption
Network encryption ensures that data sent across a network from one host to another is unreadable to a third party. If a sniffer intercepts the data, it finds the data unusable because the data is encrypted.Therefore, a hacker cannot view any usernames or passwords, and any information sent across the network is safe.The requirement is that all communicating systems must support the same network encryption technique, such as Secure Shell (SSH). Network encryption is used for any data transfer that requires confidentiality.
Since the Internet is a public network, network encryption is essential. E-commerce transactions must ensure confidentiality to protect credit card and personal information. Personal banking Web sites and investment companies often require extremely sensitive information to be sent, such as bank account numbers and tax identification numbers. If these usernames, passwords, and personal information fell into the wrong hands, the information could be used for a front-door attack, since the hacker could pose as a legitimate user. Rlogin, remote shell (rsh), and Telnet are three notoriously unsafe protocols.
They do not use encryption for remote logins or any type of data transmission. For example, if you are an administrator and you want to log in to a system via Telnet, your username and login are sent in clear text. Rsh and rlogin send all data between two hosts in clear text as well (but a password is not required).
Network encryption ensures that data sent across a network from one host to another is unreadable to a third party. If a sniffer intercepts the data, it finds the data unusable because the data is encrypted.Therefore, a hacker cannot view any usernames or passwords, and any information sent across the network is safe.The requirement is that all communicating systems must support the same network encryption technique, such as Secure Shell (SSH). Network encryption is used for any data transfer that requires confidentiality.
Since the Internet is a public network, network encryption is essential. E-commerce transactions must ensure confidentiality to protect credit card and personal information. Personal banking Web sites and investment companies often require extremely sensitive information to be sent, such as bank account numbers and tax identification numbers. If these usernames, passwords, and personal information fell into the wrong hands, the information could be used for a front-door attack, since the hacker could pose as a legitimate user. Rlogin, remote shell (rsh), and Telnet are three notoriously unsafe protocols.
They do not use encryption for remote logins or any type of data transmission. For example, if you are an administrator and you want to log in to a system via Telnet, your username and login are sent in clear text. Rsh and rlogin send all data between two hosts in clear text as well (but a password is not required).
Wednesday, June 19, 2002
WhiteHat Arsenal Tool Set Aims to Knock Off Web Site Black Hats
Only a handful of tools can assist with QoS (Quality of Service) testing before applications go live. Enter WhiteHat Security's WhiteHat Arsenal 2.0, a collection of basic tools that help security professionals test Web applications for common security vulnerabilities in the midrange of competitive pricing. But though Arsenal has several good features, the lack of automation for basic operation and nonexistent vulnerability identification will hinder users who don't have solid security and programming backgrounds.
Although a security background is an obvious criteria for using a security tool, the need for a programming background may come as a surprise. But to best use Arsenal to protect Web apps, you need to understand the basics of how the languages behind these applications (ASP, PHP and ColdFusion) affect Web security.
Bottom line: Arsenal is good for security pros conducting basic Web application testing, but the cost is high considering the lack of features.
Only a handful of tools can assist with QoS (Quality of Service) testing before applications go live. Enter WhiteHat Security's WhiteHat Arsenal 2.0, a collection of basic tools that help security professionals test Web applications for common security vulnerabilities in the midrange of competitive pricing. But though Arsenal has several good features, the lack of automation for basic operation and nonexistent vulnerability identification will hinder users who don't have solid security and programming backgrounds.
Although a security background is an obvious criteria for using a security tool, the need for a programming background may come as a surprise. But to best use Arsenal to protect Web apps, you need to understand the basics of how the languages behind these applications (ASP, PHP and ColdFusion) affect Web security.
Bottom line: Arsenal is good for security pros conducting basic Web application testing, but the cost is high considering the lack of features.
Multi-Port Tap
In-Line Taps in multiport configurations give simultaneous access to all network traffic, including all physical errors, from both sides of a full duplex link. along with the ability to rove between segments. In-Line Taps maximize visibility and minimize link downtime on full duplex switched LANs and SANs. In-Line Taps are completely passive to network traffic and allow for analysis of individual segments. Finisar Systems' 10/100 Mb In-Line UTP Taps support the new IEEE 802.3af in-line power standard. The UTP Tap IL/12 when installed in the "in-line power" link, will pass the 48 volt power signal, unaffected, to the IP phone while copying the data signal faithfully to the analyzer.
Implementing Networks Taps with Network Intrusion
Over the past decade or so, the use of switches to replace hubs has increased substantially. This is largely due to the increased size of networks, and the requirement for increasingly faster and more efficient networks. On most networks, the data must now be dependable and timely. This transition from hubs to switches, however, has generated a conflict with already deployed and designed network intrusion detection systems.
To combat design conflicts between network intrusion detection systems (NIDS) and switches, network taps were created. Network taps essentially allow all traffic on a network device to be monitored. Network taps are also very useful for passive network troubleshooting and analysis. Further, the tap makes the related NIDS system more secure, preventing attackers from being able to directly attack the NIDS system. This article will offer an introductory overview of taps, including: what taps are, why they should be implemented, their role in improving network security, how they should be implemented, and the economic benefits of taps.
Over the past decade or so, the use of switches to replace hubs has increased substantially. This is largely due to the increased size of networks, and the requirement for increasingly faster and more efficient networks. On most networks, the data must now be dependable and timely. This transition from hubs to switches, however, has generated a conflict with already deployed and designed network intrusion detection systems.
To combat design conflicts between network intrusion detection systems (NIDS) and switches, network taps were created. Network taps essentially allow all traffic on a network device to be monitored. Network taps are also very useful for passive network troubleshooting and analysis. Further, the tap makes the related NIDS system more secure, preventing attackers from being able to directly attack the NIDS system. This article will offer an introductory overview of taps, including: what taps are, why they should be implemented, their role in improving network security, how they should be implemented, and the economic benefits of taps.
Office of Surveillance Commissioners
This website is primarily designed to be used by those who authorise and conduct covert surveillance operations and covert human intelligence sources (as informants and undercover officers are now known). It shows you how to carry out these activities in compliance with the powers granted by Parliament, and how the OSC monitors the exercise of those powers. By way of practical help we have identified some key points, some sources of advice, and some examples of good and bad practice.
This website is primarily designed to be used by those who authorise and conduct covert surveillance operations and covert human intelligence sources (as informants and undercover officers are now known). It shows you how to carry out these activities in compliance with the powers granted by Parliament, and how the OSC monitors the exercise of those powers. By way of practical help we have identified some key points, some sources of advice, and some examples of good and bad practice.
All you need to know about legal spying
The government has launched a website to advise organisations on how to snoop on phone calls, email and web activity without breaking the law.
Last week it was announced that the government will enforce its controversial Regulation of Investigatory Powers Act (RIPA) enabling a larger array of organisations to legitimately carry out covert surveillance.
The government has launched a website to advise organisations on how to snoop on phone calls, email and web activity without breaking the law.
Last week it was announced that the government will enforce its controversial Regulation of Investigatory Powers Act (RIPA) enabling a larger array of organisations to legitimately carry out covert surveillance.
: Assessing Security Risk, Part One: What is Risk A
The Internet, like the Wild West of old, is an uncharted new world, full of fresh and exciting opportunities. However, like the Wild West, the Internet is also fraught with new threats and obstacles; dangers the average businessman and home user hasn't even begun to understand. But I don’t have to tell you this. You’ve heard that exact speech at just about every single security conference or seminar you’ve ever attended, usually accompanied by a veritable array of slides and graphs demonstrating exactly how serious the threat is and how many millions of dollars your company stands to loose. The “death toll” statistic are then almost always followed by a sales pitch for some or other product that’s supposed to make it all go away. Yeah right.
The Internet, like the Wild West of old, is an uncharted new world, full of fresh and exciting opportunities. However, like the Wild West, the Internet is also fraught with new threats and obstacles; dangers the average businessman and home user hasn't even begun to understand. But I don’t have to tell you this. You’ve heard that exact speech at just about every single security conference or seminar you’ve ever attended, usually accompanied by a veritable array of slides and graphs demonstrating exactly how serious the threat is and how many millions of dollars your company stands to loose. The “death toll” statistic are then almost always followed by a sales pitch for some or other product that’s supposed to make it all go away. Yeah right.
Tuesday, June 18, 2002
The Programmer's File Format Collection
Welcome to Wotsit's Format, the complete programmer's resource on the net. This site contains file format information on hundreds of different file types and all sorts of other useful programming information; algorithms, source code, specifications, etc.
Welcome to Wotsit's Format, the complete programmer's resource on the net. This site contains file format information on hundreds of different file types and all sorts of other useful programming information; algorithms, source code, specifications, etc.
Maximizing Network Protection with Multiple Anti-Virus Scanners
One Virus Engine Is Not Enough. The Case for Maximizing Network Protection with Multiple Anti-Virus Scanners.
All responsible organizations protect their networks from virus attacks by installing an email security product. Yet, how does one choose the right solution out of the wide variety of virus scanning engines available? And is one anti-virus engine enough to protect the internal network from mass-mailing viruses, worms and other email-borne threats?
The tests detailed in this paper show that each virus scanner presents its own strengths and weaknesses. This means that no single anti-virus engine can fully protect against all possible threats. As a result, simultaneous use of more than one virus engine can achieve greater security than is technically possible when relying on only one anti-virus engine. The use of multiple virus engines also enables security administrators to be vendor independent when it comes to virus scanning, thereby able to use the best of breed virus engines available on the market.
Note: This paper does not cover desktop virus scanners. Its aim is to feature several popular virus-scanning engines and highlight the differences between each.
One Virus Engine Is Not Enough. The Case for Maximizing Network Protection with Multiple Anti-Virus Scanners.
All responsible organizations protect their networks from virus attacks by installing an email security product. Yet, how does one choose the right solution out of the wide variety of virus scanning engines available? And is one anti-virus engine enough to protect the internal network from mass-mailing viruses, worms and other email-borne threats?
The tests detailed in this paper show that each virus scanner presents its own strengths and weaknesses. This means that no single anti-virus engine can fully protect against all possible threats. As a result, simultaneous use of more than one virus engine can achieve greater security than is technically possible when relying on only one anti-virus engine. The use of multiple virus engines also enables security administrators to be vendor independent when it comes to virus scanning, thereby able to use the best of breed virus engines available on the market.
Note: This paper does not cover desktop virus scanners. Its aim is to feature several popular virus-scanning engines and highlight the differences between each.
Monday, June 17, 2002
Jeanne: Reverse Proxy Server
This project provides a new way of securing websites through the use of Reverse Proxy Servers. Using a different network setup, in which the webserver is actually placed behind the firewall and the proxy receives all HTTP requests, higher security for the website can be achieved. This increased security is gained through the use of an access list plug-in for Squid (a normal proxy server program) such that only valid requests are fulfilled, and invalid URLs (such as Unicode directory traversal strings) are rejected. Thus, a normally-vulnerable webserver can be protected by the reverse proxy.
This project provides a new way of securing websites through the use of Reverse Proxy Servers. Using a different network setup, in which the webserver is actually placed behind the firewall and the proxy receives all HTTP requests, higher security for the website can be achieved. This increased security is gained through the use of an access list plug-in for Squid (a normal proxy server program) such that only valid requests are fulfilled, and invalid URLs (such as Unicode directory traversal strings) are rejected. Thus, a normally-vulnerable webserver can be protected by the reverse proxy.
Odyssey
Odyssey is an end-to-end 802.1x security solution that not only permits users to securely access wireless LANs (WLANs), but also can be easily and widely deployed and managed across an enterprise network.
Odyssey includes client and server software. It secures the authentication and connection of WLAN users, ensuring that only authorized users can connect, that connection credentials will not be compromised, and that data privacy will be maintained.
Odyssey is an end-to-end 802.1x security solution that not only permits users to securely access wireless LANs (WLANs), but also can be easily and widely deployed and managed across an enterprise network.
Odyssey includes client and server software. It secures the authentication and connection of WLAN users, ensuring that only authorized users can connect, that connection credentials will not be compromised, and that data privacy will be maintained.
Network Port Security
The lack of authentication within low level network communication protocols presents a potential area of abuse by rogue or compromised hosts. Data link technologies such as Ethernet inherently allow end stations to alter the source medium access control (MAC) address on any frames transmitted. While this may be useful in some circumstances, it can be used to launch a number of low level network communication attacks. This document proposes a means with which to limit the abuse that can be done by some types of low level source addressing attacks.
The lack of authentication within low level network communication protocols presents a potential area of abuse by rogue or compromised hosts. Data link technologies such as Ethernet inherently allow end stations to alter the source medium access control (MAC) address on any frames transmitted. While this may be useful in some circumstances, it can be used to launch a number of low level network communication attacks. This document proposes a means with which to limit the abuse that can be done by some types of low level source addressing attacks.
Secure Deletion of Data from Magnetic and Solid-State Memory
With the use of increasingly sophisticated encryption systems, an attacker wishing to gain access to sensitive data is forced to look elsewhere for information. One avenue of attack is the recovery of supposedly erased data from magnetic media or random-access memory. This paper covers some of the methods available to recover erased data and presents schemes to make this recovery significantly more difficult.
With the use of increasingly sophisticated encryption systems, an attacker wishing to gain access to sensitive data is forced to look elsewhere for information. One avenue of attack is the recovery of supposedly erased data from magnetic media or random-access memory. This paper covers some of the methods available to recover erased data and presents schemes to make this recovery significantly more difficult.
Incident Response and Digital Forensics Resource List
- Surveillance, Traps, and sandboxing:
- Evidence Capturing Software
- Evidence Capturing Hardware
- Evidence Examination
- Data/Evidence File Recovery
- Bootable CD-ROMs
- Certifications
- Training
- Professional Organizations
- Email Lists
- Web Resources
- Books
- On-Line Text
- Network Forensics
- IDS
CRYPTOREVERSING - On cryptosystems untrustworthiness The reasons of cryptosystems untrustworthiness can be divided into 4 main groups: application of weak algorithms, cryptalgorithms wrong implementation or application and human factor. There is clear parallel between these reasons and computer system security violation ones.
Because of pointed reasons there were and still there are security problems in all kinds of software, where cryptalgorithms are used, be it operating systems; cryptographic protocols; clients and servers supporting them; office programs; user encryption utilities or popular archivers.
To proper implement your own cryptosystem you should not only learn somebody’s mistakes and understand the reasons of their occurrence, but perhaps use sophisticated protection programming approaches and special design tools.
Because of pointed reasons there were and still there are security problems in all kinds of software, where cryptalgorithms are used, be it operating systems; cryptographic protocols; clients and servers supporting them; office programs; user encryption utilities or popular archivers.
To proper implement your own cryptosystem you should not only learn somebody’s mistakes and understand the reasons of their occurrence, but perhaps use sophisticated protection programming approaches and special design tools.
Sunday, June 16, 2002
Mind Games - Social Engineering
This small article is a brief overview on social engineering. It talks a bit about the psychology of social engineering, the security threat it imposes and about the methods used for it. Basically, this article is a summary that covers the important facts (from my point of view) about social engineering.
This small article is a brief overview on social engineering. It talks a bit about the psychology of social engineering, the security threat it imposes and about the methods used for it. Basically, this article is a summary that covers the important facts (from my point of view) about social engineering.
ICQ Security Exposed, a non-kiddie paper
Well, as I do not tend to write kiddie stuff, I decided to write this in order to proove that statement false :p. This ICQ security tutorial will not deal with whatever little scriptkiddie tools might be found out there. I will discuss some decent ICQ security, yet I will do it as simple as possible. I will offer information on general and abstract ICQ security issues, on flaws directly or indirectly related to ICQ. Informations will range from staying invisible to getting familiar with the ICQ protocol - have fun!
Well, as I do not tend to write kiddie stuff, I decided to write this in order to proove that statement false :p. This ICQ security tutorial will not deal with whatever little scriptkiddie tools might be found out there. I will discuss some decent ICQ security, yet I will do it as simple as possible. I will offer information on general and abstract ICQ security issues, on flaws directly or indirectly related to ICQ. Informations will range from staying invisible to getting familiar with the ICQ protocol - have fun!
IBM software aims to shut down "drive-by hacking"
International Business Machines Corp. on Monday announced technology designed to close some of the holes in corporate wireless networks and prevent outsiders from stealing data through "drive-by hacking." The IBM software sits on laptops and PCs, analyzing traffic on an internal 802.11 wireless network and sending data to a centralized server, said Dave Safford, manager of the global security analysis lab at IBM Research in Hawthorne, New York. "It turns machines into wireless auditing sniffers," he said. The server then "crunches" the data and "spits out" a report that can tell administrators if there are wireless access points that have been misconfigured, Safford said. Access points are physical connections to the computer network located throughout a site. Wireless networks are cheap, costing less than $100, and convenient to use, allowing workers to carry laptops from office to conference room to cafeteria. Because they are easy to misconfigure, they pose a significant security risk, easily exposing a computer network to attackers outside the building using specialized wireless sniffers
International Business Machines Corp. on Monday announced technology designed to close some of the holes in corporate wireless networks and prevent outsiders from stealing data through "drive-by hacking." The IBM software sits on laptops and PCs, analyzing traffic on an internal 802.11 wireless network and sending data to a centralized server, said Dave Safford, manager of the global security analysis lab at IBM Research in Hawthorne, New York. "It turns machines into wireless auditing sniffers," he said. The server then "crunches" the data and "spits out" a report that can tell administrators if there are wireless access points that have been misconfigured, Safford said. Access points are physical connections to the computer network located throughout a site. Wireless networks are cheap, costing less than $100, and convenient to use, allowing workers to carry laptops from office to conference room to cafeteria. Because they are easy to misconfigure, they pose a significant security risk, easily exposing a computer network to attackers outside the building using specialized wireless sniffers
Friday, June 14, 2002
The Computer Professional Reference
A lot of (online) penetration testing tools. Be sure to check out the tools section of this site!
A lot of (online) penetration testing tools. Be sure to check out the tools section of this site!
Security Search
The world's largest security industry yellow page directory. Over 35,000 users, and 15,000 listings covering 94 countries.
The world's largest security industry yellow page directory. Over 35,000 users, and 15,000 listings covering 94 countries.
DOE Custom Tools
Custom tools and documents are those developed by different sites as part of their daily operations, and that have applicability outside of their developing organizations. Custom tools and documents are expected to be not as polished or well documented as the DOE-developed tools, but having access to them will give another site a large head start in developing a similar capability of their own. DOE sites who have or are developing information security tools and documents are encouraged to make those materials available for inclusion on the server.
Custom tools and documents are those developed by different sites as part of their daily operations, and that have applicability outside of their developing organizations. Custom tools and documents are expected to be not as polished or well documented as the DOE-developed tools, but having access to them will give another site a large head start in developing a similar capability of their own. DOE sites who have or are developing information security tools and documents are encouraged to make those materials available for inclusion on the server.
Thursday, June 13, 2002
The latest rage: CSO
Before you ask--No, CSO isn't a new TV crime show. But you'd never know that from the hype. Over the last few weeks, the chief security officer--or CSO--job title has been generating enough buzz to make a Hollywood press agent envious.
Headhunters are waxing ecstatic over the six-figure salaries, the number of openings that companies say they have, and the fact that it's a growth area in an otherwise down market. And there's a lot of agreement that corporate security needs to be centralized, at least in some manner. But if it's so hot, why are so few companies actually hiring CSOs?
Before you ask--No, CSO isn't a new TV crime show. But you'd never know that from the hype. Over the last few weeks, the chief security officer--or CSO--job title has been generating enough buzz to make a Hollywood press agent envious.
Headhunters are waxing ecstatic over the six-figure salaries, the number of openings that companies say they have, and the fact that it's a growth area in an otherwise down market. And there's a lot of agreement that corporate security needs to be centralized, at least in some manner. But if it's so hot, why are so few companies actually hiring CSOs?
Internetwork Routing Protocol Attack Suite
Routing protocols are by definition protocols, which are used by routers to communicate with each other about ways to deliver routed protocols, such as IP.
While many improvements have been done to the host security since the early days of the Internet, the core of this network still uses unauthenticated services for critical communication. Because most of the routers you will see in todays environments are Cisco products, we focus our work on these, which does not mean that it dosn't apply to other router vendors.
The idea is to implement small tools which can be scripted for larger tests while using the protocols describd in standards or white papers. IRPAS is not a collection of exploits. While several circumstances can lead to a denail of service attack, the tools try to implement routing protocol functionality as described by the papers, therefore enabling the user of these tools (probably you) to design it's own customized attack.
Another nice side effect is that people used to point-and-click attack tools should have some difficulties to use a raw IGRP sender tool.
Routing protocols are by definition protocols, which are used by routers to communicate with each other about ways to deliver routed protocols, such as IP.
While many improvements have been done to the host security since the early days of the Internet, the core of this network still uses unauthenticated services for critical communication. Because most of the routers you will see in todays environments are Cisco products, we focus our work on these, which does not mean that it dosn't apply to other router vendors.
The idea is to implement small tools which can be scripted for larger tests while using the protocols describd in standards or white papers. IRPAS is not a collection of exploits. While several circumstances can lead to a denail of service attack, the tools try to implement routing protocol functionality as described by the papers, therefore enabling the user of these tools (probably you) to design it's own customized attack.
Another nice side effect is that people used to point-and-click attack tools should have some difficulties to use a raw IGRP sender tool.
Wednesday, June 12, 2002
Stalker tech
Do you know where your boyfriend is? If he attends the University of California at San Diego, finding him may be as easy as turning on a PDA.
The university is equipping hundreds of students with personal digital assistants that allow them to track each other's location from parking lot to lecture hall to cafeteria. The technology is sophisticated enough to pinpoint where a person is in a building -- say, a dorm -- within a margin of error of one floor.
The New C-Guard EXP
Cellular phones, seemingly innocent devices, are often used for carrying out illegal actions. Today, a major security threat is being acknowledged by more and more organizations worldwide - the use of cellular phones as bugging devices.
Cellular phone technology has dramatically changed eavesdropping techniques. While a decade ago performing illegal eavesdropping was a complicated task requiring professional expertise (involving the installation of concealed transmitters and receivers on-site), today cellular phones can be easily converted into bugs and placed anywhere.
Popular cell-phone models made by Nokia, Motorola and other market leaders, can transform into sophisticated, easily operated bugging devices through a small modification. By a simple press of a button, a seemingly standard cell-phone device switches into a mode in which it seems to be turned-off. However, in this deceitful mode the phone will automatically answer incoming calls, without any visual or audio indications whatsoever. In most cases, such 'spy' phones are concealed within the targeted area, for instance - inside a houseplant. A well placed bug-phone can be activated on?demand from any remote location (even out of another country).
Sun's Solaris operating environment takes first place in security certification
Sun Microsystems' "Trusted" Solaris 8 4/01 Operating Environment, considered the de facto standard for protecting classified and sensitive information, is the first and only operating system to receive the highest level of security certification under the Common Criteria Labelled Security Protection Profile (LSPP) at Evaluation Assurance Level 4 (EAL4).
Sun Microsystems' "Trusted" Solaris 8 4/01 Operating Environment, considered the de facto standard for protecting classified and sensitive information, is the first and only operating system to receive the highest level of security certification under the Common Criteria Labelled Security Protection Profile (LSPP) at Evaluation Assurance Level 4 (EAL4).
Tuesday, June 11, 2002
Site R (Raven Rock) - Alternate Joint Communications Center (AJCC)
This offers information on a hardened US military communications facility, Site R (Raven Rock) Alternate Joint Communications Center (AJCC), located beneath Raven Rock mountain, near Waynesboro, PA, reported to be the bunker used by Vice President Cheney during the months after 9/11.
This offers information on a hardened US military communications facility, Site R (Raven Rock) Alternate Joint Communications Center (AJCC), located beneath Raven Rock mountain, near Waynesboro, PA, reported to be the bunker used by Vice President Cheney during the months after 9/11.
Law Enforcement OnLine
The Federal Bureau of Investigation provides a national focal point for electronic communication, education, and information sharing through the development and operation of LEO -- Law Enforcement OnLine.
LEO is a national interactive computer communications system and information service, an Intranet exclusively for the law enforcement community. It is a user-friendly service which can be accessed by any approved employee of a duly constituted local, state, or federal law enforcement agency, or approved member of an authorized law enforcement special interest group. LEO is intended to provide a state-of-the-art communication mechanism to link all levels of law enforcement throughout the United States. LEO is also used as a vehicle to educate officers on
The Federal Bureau of Investigation provides a national focal point for electronic communication, education, and information sharing through the development and operation of LEO -- Law Enforcement OnLine.
LEO is a national interactive computer communications system and information service, an Intranet exclusively for the law enforcement community. It is a user-friendly service which can be accessed by any approved employee of a duly constituted local, state, or federal law enforcement agency, or approved member of an authorized law enforcement special interest group. LEO is intended to provide a state-of-the-art communication mechanism to link all levels of law enforcement throughout the United States. LEO is also used as a vehicle to educate officers on
Monday, June 10, 2002
Open Source Debate
This PDF article, written by Kenneth Brown of ADTI, attempts to explain that "Open source GPL use by government agencies could easily become a nation security concern. Government use of software in the public domain is exceptionally risky."
"... Another consideration for the U.S. government is that all source code developed under the GPL could have mirrored availability to the public. This poses unlimited security issues. Wheeler comments, There are many programs developed by the government which are THEMSELVES classified, and many - and probably most - of the various programs most important to national security are in this category (e.g., weapons systems). In that case, neither binaries nor source code of those particular applications are released to anyone else; besides being illegal, releasing the binary executables would give away far too much information." Rossz Vamos-Wentworth a programming expert, disagrees about the relevance of releasing code commenting, If the government uses GPL software, the government is to release their version(s). If the software is related to security, it really doesnt matter if the code is available or not. Security holes are eventually found, with or without open source code. If the security software is well done, having the source code will not make it easier to crack.
This PDF article, written by Kenneth Brown of ADTI, attempts to explain that "Open source GPL use by government agencies could easily become a nation security concern. Government use of software in the public domain is exceptionally risky."
"... Another consideration for the U.S. government is that all source code developed under the GPL could have mirrored availability to the public. This poses unlimited security issues. Wheeler comments, There are many programs developed by the government which are THEMSELVES classified, and many - and probably most - of the various programs most important to national security are in this category (e.g., weapons systems). In that case, neither binaries nor source code of those particular applications are released to anyone else; besides being illegal, releasing the binary executables would give away far too much information." Rossz Vamos-Wentworth a programming expert, disagrees about the relevance of releasing code commenting, If the government uses GPL software, the government is to release their version(s). If the software is related to security, it really doesnt matter if the code is available or not. Security holes are eventually found, with or without open source code. If the security software is well done, having the source code will not make it easier to crack.
Layered Insecurity
From the earliest stages of their careers, most IT security practitioners are taught about the practical benefits of "layered security" and "defense-in-depth"--and for good reason. Segregating public and private networks, deploying overlapping controls for access and asset protection, constructing DMZs and bastion hosts--these and other security techniques go a long way toward helping organizations secure their intellectual property and proprietary communications.
But creating a "living" layered security infrastructure is not a static, one-size-fits-all proposition. As network environments become more complex--involving partner extranets, VLANs, application portals, Web services, secure remote connectivity, Internet/POP mail, instant messaging and so on--architecting defense-in-depth into the network becomes more and more difficult. No one sets out to undermine security. But unless the security of the network evolves hand in hand with the ever-growing list of network services, the layers designed to secure it can actually introduce new and unforeseen vulnerabilities.
This article examines how security layers can break down, and how to architect the network to avoid these common pitfalls.
From the earliest stages of their careers, most IT security practitioners are taught about the practical benefits of "layered security" and "defense-in-depth"--and for good reason. Segregating public and private networks, deploying overlapping controls for access and asset protection, constructing DMZs and bastion hosts--these and other security techniques go a long way toward helping organizations secure their intellectual property and proprietary communications.
But creating a "living" layered security infrastructure is not a static, one-size-fits-all proposition. As network environments become more complex--involving partner extranets, VLANs, application portals, Web services, secure remote connectivity, Internet/POP mail, instant messaging and so on--architecting defense-in-depth into the network becomes more and more difficult. No one sets out to undermine security. But unless the security of the network evolves hand in hand with the ever-growing list of network services, the layers designed to secure it can actually introduce new and unforeseen vulnerabilities.
This article examines how security layers can break down, and how to architect the network to avoid these common pitfalls.
The SANS Security Policy Project
Welcome to the SANS Security Policy Resource page, a consensus research project of the SANS community. The ultimate goal of the project is to offer everything you need for rapid development and implementation of information security policies. You’ll find a great set of resources posted here already including policy templates for twenty-four important security requirements.
There is no cost for using these resources. They were compiled to help the people attending SANS training programs, but security of the Internet depends on vigilance by all participants, so we are making this resource available to the entire community.
Welcome to the SANS Security Policy Resource page, a consensus research project of the SANS community. The ultimate goal of the project is to offer everything you need for rapid development and implementation of information security policies. You’ll find a great set of resources posted here already including policy templates for twenty-four important security requirements.
There is no cost for using these resources. They were compiled to help the people attending SANS training programs, but security of the Internet depends on vigilance by all participants, so we are making this resource available to the entire community.
Directory Snoop
Directory Snoop is a low-level forensic utility that can recover erased files in an emergency, wipe sensitive data, and search for hidden data at the cluster level. Step through your File Allocation Table (FAT) and map individual clusters back to the file that owns them. Purge orphaned (and possibly sensitive) file names right out of the directory structure.
Directory Snoop is a low-level forensic utility that can recover erased files in an emergency, wipe sensitive data, and search for hidden data at the cluster level. Step through your File Allocation Table (FAT) and map individual clusters back to the file that owns them. Purge orphaned (and possibly sensitive) file names right out of the directory structure.
StegoArchive
In an ideal world we would all be able to openly send encrypted email or files to each other with no fear of reprisals. However there are often cases when this is not possible, either because you are working for a company that does not allow encrypted email or perhaps the local government does not approve of encrypted communication (a reality in some parts of the world). This is where steganography can come into play.
Steganography simply takes one piece of information and hides it within another. Computer files (images, sounds recordings, even disks) contain unused or insignificant areas of data. Steganography takes advantage of these areas, replacing them with information (encrypted mail, for instance). The files can then be exchanged without anyone knowing what really lies inside of them. An image of the space shuttle landing might contain a private letter to a friend. A recording of a short sentence might contain your company's plans for a secret new product. Steganography can also be used to place a hidden "trademark" in images, music, and software, a technique referred to as watermarking.
In an ideal world we would all be able to openly send encrypted email or files to each other with no fear of reprisals. However there are often cases when this is not possible, either because you are working for a company that does not allow encrypted email or perhaps the local government does not approve of encrypted communication (a reality in some parts of the world). This is where steganography can come into play.
Steganography simply takes one piece of information and hides it within another. Computer files (images, sounds recordings, even disks) contain unused or insignificant areas of data. Steganography takes advantage of these areas, replacing them with information (encrypted mail, for instance). The files can then be exchanged without anyone knowing what really lies inside of them. An image of the space shuttle landing might contain a private letter to a friend. A recording of a short sentence might contain your company's plans for a secret new product. Steganography can also be used to place a hidden "trademark" in images, music, and software, a technique referred to as watermarking.
The PalmPilot single-floppy backup system
PenguinBackup is a single, bootable 3.5" floppy disk which includes a complete operating system, utilities, and communication software for all kinds of Pilots (OS 1.x - 3.x), wrapped in a nice, easy-to-use menu system.
It is intended as an emergency backup system in case you're on the road with only your Pilot and need to do a full restore after a hard reset.
PenguinBackup is a single, bootable 3.5" floppy disk which includes a complete operating system, utilities, and communication software for all kinds of Pilots (OS 1.x - 3.x), wrapped in a nice, easy-to-use menu system.
It is intended as an emergency backup system in case you're on the road with only your Pilot and need to do a full restore after a hard reset.
PDS Seizure
As an examiner you know better than anyone that the difference between making a case and losing a case is hard evidence. And with more bad guys going high tech, obtaining that evidence is becoming more difficult than ever.
With paraben's pda seizure , you can retreive all the information that's on a PDA device.
Paraben's pda seizure is a comprehensive tool that allows PDA data to be acquired, viewed, and reported on, all within a Windows environment.tm
Snorting Next Generation Secure Remote Log Servers over TCP
A comprehensive guide to building encrypted, secure remote syslog-ng servers with the Snort IDS. In PDF format.
A comprehensive guide to building encrypted, secure remote syslog-ng servers with the Snort IDS. In PDF format.
Creating a Virtual HoneyNet
Creating a virtual honeynet is no more than configuring a number of virtual-networked-systems to log all activity heading to it, while looking as generic as possible. Don't worry if you feel you can't afford the resources needed to run the honeynet, virtual honeynets are cheap, powerful and easy to admin, plus thru this paper I'll be trying to put in as much of my experience as possible to make it easier for you, but before we start there are a few points we have to understand.
Creating a virtual honeynet is no more than configuring a number of virtual-networked-systems to log all activity heading to it, while looking as generic as possible. Don't worry if you feel you can't afford the resources needed to run the honeynet, virtual honeynets are cheap, powerful and easy to admin, plus thru this paper I'll be trying to put in as much of my experience as possible to make it easier for you, but before we start there are a few points we have to understand.
OS Scan
Which Operating System have more vulnerabilities out of the box? Are they more secure after the latest patches? Do the latest patches add vulnerabilities? We wanted to see how much the OS patches released really help and to see which OS is more secure “Out of the Box”. So we picked several of the more popular Operating Systems and put them to the test. In this study, we will use Nmap version 2.54BETA 22 and Nessus 1.0.9 to scan Operating Systems installed with default options and no additional patches or configurations. Then we will scan them with the latest Security Packs and Cluster Patches and compare the scans to learn what security means to the vendors of the Operating Systems and the security scanners we use today.
The Security Writers Guild
The Security Writers Guild (SWG) is focused on publishing quality papers and developing original & creative projects in an effort to promote IT security and simultaneously establish its own security oriented community.
Information on SWG has been gathered from personal experiences, SANS teachings, or real professionals in the field.
Forensic Acquisition Utilities
This is a collection of utilities and libraries intended for forensic or forensic-related investigative use in a modern Microsoft Windows environment. The components in this collection are intended to permit the investigator to sterilize media for forensic duplication, discover where logical volume information is located and to collect the evidence from a running system while at the same time guaranteeing data integrity (e.g. with a cryptographic checksum) and while minimizing changes to the subject system.
This is a collection of utilities and libraries intended for forensic or forensic-related investigative use in a modern Microsoft Windows environment. The components in this collection are intended to permit the investigator to sterilize media for forensic duplication, discover where logical volume information is located and to collect the evidence from a running system while at the same time guaranteeing data integrity (e.g. with a cryptographic checksum) and while minimizing changes to the subject system.
DMZS-Biatchux Bootable CD Forensics/Incident-Response/Recovery/Virus Scanning/Pen-Tester Platform
Biatchux is a portable bootable cdrom based distribution with the goal of providing an immediate environment to perform forensic analysis, incident response, data recovery, virus scanning and vulnerability assessment.
Also capable of providing necessary tools for live forensics/analysis, just mount the cdrom on your choice of OS win32, sparc solaris and x86 linux trusted static binaries are available in /statbins.
Biatchux is a portable bootable cdrom based distribution with the goal of providing an immediate environment to perform forensic analysis, incident response, data recovery, virus scanning and vulnerability assessment.
Also capable of providing necessary tools for live forensics/analysis, just mount the cdrom on your choice of OS win32, sparc solaris and x86 linux trusted static binaries are available in /statbins.
Native Win32 ports of some GNU utilities
Here are some ports of common GNU utilities to native Win32, including dd. In this context, native means the executables do only depend on the Microsoft C-runtime (msvcrt.dll) and not an emulation layer like that provided by Cygwin tools.
Here are some ports of common GNU utilities to native Win32, including dd. In this context, native means the executables do only depend on the Microsoft C-runtime (msvcrt.dll) and not an emulation layer like that provided by Cygwin tools.
Instant Messaging Privacy and Security Solutions
One version of IMpasse protects multiple networks simultaneously — including AIM (AOL), MSN (Microsoft), and Yahoo messengers.
One version of IMpasse protects multiple networks simultaneously — including AIM (AOL), MSN (Microsoft), and Yahoo messengers.
Subscribe to:
Posts (Atom)
