Sie befinden sich in den Archiven der Kategorie general.
22.4.2011 von tugrik.
There’s an excellent post on Security Principles and Maxims over at http://blog.blackswansecurity.com/2011/04/security-principles-maxims/
When discussing the ubiquitous and nebulous “Best Practice”, it’s handy to have an actual list of what that is - and this is a great start.
Geschrieben in general | Drucken | Keine Kommentare »
15.6.2010 von tugrik.
TSCrack… courtesy of this page… http://ahlindia.17.forumer.com/a/tscrack_post179.html
It can be downloadedfrom here:http://web.archive.org/web/20030503034543/http://ackers.org.uk/tscrack/tscrack.exe
Geschrieben in general | Drucken | Keine Kommentare »
7.6.2010 von tugrik.
http://www.raymond.cc/blog/archives/2009/03/22/install-every-single-internet-explorer-versions-on-your-computer/
We’ll see….
( time passes )
It didn’t…
Geschrieben in general | Drucken | 1 Kommentar »
30.5.2010 von tugrik.
The md5sum for Metasploitable.zip obtained from a torrent… well it’s e54089ba72fe0127d06528decad9a6ae for me, which either means it’s fine, or if it’s the same for you, then at least we know we’ll have both been owned by the same hackers…
Geschrieben in general | Drucken | 1 Kommentar »
12.4.2010 von faintdreams.
[Source - http://www.downloadsquad.com/2010/04/12/wordpress-blogs-hit-with-mass-malware-attack/]
“Hundreds of WordPress blogs, particularly those hosted by Network Solutions, have been hit with an attack that cripples the blogs and redirects visitors to a URL that loads malware. The attack has been reported by both Sucuri Security Labs and Trend Micro. It works by replacing the contents of a WordPress blog’s “siteurl” field (under wp_options) with some HTML code. That field isn’t supposed to contain HTML, so it effectively breaks the blog.Security companies haven’t figured out how the blogs were exploited, although Sucuri says it was probably SQL injection or a database problem at Network Solutions. Network Solutions is investigating, and looking to blame a WordPress theme or plugin for the security hole, Trend Micro says. Trend Micro also has some info on the malware that the blogs are now redirecting to: it’s a known malware family called BUZUS, and antivirus software should be able to identify it.
If your blog was affected, change your siteurl bac k to its old value.You can find it under manage database, in the wp_option table. ”
This kind of platform attack is the most galling, because it’s something individual users of the software are powerless to protect themselves against. The onus is entirely on the hosting company, and it seems that in this case Network Solutions have a lotta ’splaining to do.
Geschrieben in link, general | Drucken | Keine Kommentare »
18.3.2010 von matti.
In case you need some peace from the client just sent some questions at their direction….
1) Physical Security
a. Who has access?
b. How is access regulated?
2) Password Security
a. Password history?
b. Password complexity?
c. Lockout?
3) Backup Security
a. Redundant?
b. Log files?
4) Users / Access Security
a. Who has access to the system?
b. From where is access granted?
c. Who are the application’s end users?
d. How do the end users interact with the application?
e. What security expectations do the end users have?
f. Which third parties supply data to the application?
g. Which third parties receive data from the applications?
h. Which third parties process the application’s data?
i. What mechanisms are used to share data with third parties besides the application itself?
j. What security requirements do the partners impose?
k. Who has administrative capabilities in the application?
l. What administrative capabilities does the application offer?
m. What security related regulations apply?
n. What auditing and compliance regulations apply?
o. What user privilege levels does the application support?
p. What user identification and authentication requirements have been defined?
q. What session management requirements have been defined?
r. What application performance monitoring requirements have been defined?
s. What application security monitoring requirements have been defined?
t. What application error handling and logging requirements have been defined?
u. How many logical tiers group the application’s components?
v. What access requirements have been defined for URI and Service calls?
w. What user authorization requirements have been defined?
x. How are user identities maintained throughout transaction calls?
5) Network Security
a. What details regarding routing, switching, firewalling, and load balancing have been defined?
b. What network design supports the application?
c. What core network devices support the application?
d. What network performance requirements exist?
e. What private and public network links support the application?
f. Which security devices are in place to enforce access
g. Which networks are attached
h. Which systems are connected on the same network segment
i. Network segregation
j. Admin traffic and data traffic separation
6) Data
a. What data does the application receive, produce, and process?
b. How can the data be classified into categories according to its sensitivity?
c. How might an attacker benefit from capturing or modifying the data?
d. What data backup and retention requirements have been defined for the application?
e. What data entry paths does the application support?
f. What data output paths does the application support?
g. How does data flow across the application’s internal components?
h. What data input validation requirements have been defined?
i. What data does the application store and how?
j. What data is or may need to be encrypted and what key management requirements have been defined?
k. What capabilities exist to detect the leakage of sensitive data?
l. What encryption requirements have been defined for data in transit over WAN and LAN links?
7) Systems
a. What operating systems support the application?
b. What hardware requirements have been defined?
c. What details regarding required OS components and lock down needs have been defined?
d. Infrastructure Monitoring
e. What network and system performance monitoring requirements have been defined?
f. What mechanisms exist to detect malicious code or compromised application components?
g. What network and system security monitoring requirements have been defined?
8 ) Monitoring
a. What application auditing requirements have been defined?
b. What application performance monitoring requirements have been defined?
c. What application security monitoring requirements have been defined?
d. What application error handling and logging requirements have been defined?
e. How are audit and debug logs accessed, stored, and secured?
9) Operations
a. What physical controls restrict access to the application’s components and data?
b. What is the process for granting access to the environment hosting the application?
c. What is the process for identifying and addressing vulnerabilities in the application?
d. What is the process for identifying and addressing vulnerabilities in network and system components?
e. What access to system and network administrators have to the application’s sensitive data?
f. What security incident requirements have been defined?
g. How do administrators access production infrastructure to manage it?
h. What controls exist to protect a compromised in the corporate environment from affecting production?
i. What security governance requirements have been defined?
j. What corporate security program requirements have been defined?
k. What security training do developers and administrators undergo?
l. Which personnel oversees security processes and requirements related to the application?
m. What employee initiation and termination procedures have been defined?
n. What application requirements impose the need to enforce the principle of separation of duties?
o. What controls exist to protect a compromised in the corporate environment from affecting production?
p. What security governance requirements have been defined?
10) Change Management
a. How are changes to the code/application controlled?
b. How are changes to the infrastructure controlled?
c. How is code/applications deployed to production?
d. What mechanisms exist to detect violations of change management practices?
11) Virtualization and Externalization
a. What aspects of the application lend themselves to virtualization?
b. What virtualization requirements have been defined for the application?
c. What aspects of the product may or may not be hosted via the cloud computing model?
Geschrieben in general | Drucken | Keine Kommentare »
18.3.2010 von matti.
Short overview of BCP and DR….
The development of a BCP manual can have five main phases:
Analysis
Solution design
Implementation
Testing and organization acceptance
Maintenance
RTO = The Recovery Time Objective is the duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity.
RPO = The Recovery Point Objective is the point in time to which you must recover data as defined by your organization. This is generally a definition of what an organization determines is an “acceptable loss” in a disaster situation. If the RPO of a company is 2 hours and the time it takes to get the data back into production is 5 hours, the RPO is still 2 hours. Based on this RPO the data must be restored to within 2 hours of the disaster.
MTPOD = Maximum Tolerable Period of Disruption
The Recovery Point Objective must ensure that the Maximum Tolerable Data Loss for each activity is not exceeded. The Recovery Time Objective must ensure that the Maximum Tolerable Period of Disruption (MTPD) for each activity is not exceeded.
* Disease
* Earthquake
* Fire
* Flood
* Cyber attack
* Sabotage
* Hurricane
* Utility outage
* Terrorism
The goal of the solution design phase is to identify the most cost effective disaster recovery solution that meets two main requirements from the impact analysis stage. For IT applications, this is commonly expressed as:
The minimum application and application data requirements
The time frame in which the minimum application and application data must be available
The implementation phase, quite simply, is the execution of the design elements identified in the solution design phase. Work package testing may take place during the implementation of the solution, however; work package testing does not take the place of organizational testing.
The purpose of testing is to achieve organizational acceptance that the business continuity solution satisfies the organization’s recovery requirements. Plans may fail to meet expectations due to insufficient or inaccurate recovery requirements, solution design flaws, or solution implementation errors. Testing may include:
* Crisis command team call-out testing
* Technical swing test from primary to secondary work locations
* Technical swing test from secondary to primary work locations
* Application test
* Business process test
At minimum, testing is generally conducted on a biannual or annual schedule. Problems identified in the initial testing phase may be rolled up into the maintenance phase and retested during the next test cycle.
Maintenance of a BCP manual is broken down into three periodic activities. The first activity is the confirmation of information in the manual, roll out to ALL staff for awareness and specific training for individuals whose roles are identified as critical in response and recovery. The second activity is the testing and verification of technical solutions established for recovery operations. The third activity is the testing and verification of documented organization recovery procedures. A biannual or annual maintenance cycle is typical.
Disaster recovery planning is a subset of a larger process known as business continuity planning and should include planning for resumption of applications, data, hardware, communications (such as networking) and other IT infrastructure. A business continuity plan (BCP) includes planning for non-IT related aspects such as key personnel, facilities, crisis communication and reputation protection, and should refer to the disaster recovery plan (DRP) for IT related infrastructure recovery / continuity.
General steps to follow while creating BCP/DRP
Identify the scope and boundaries of business continuity plan. First step enables us to define scope of BCP. It provides an idea for limitations and boundaries of plan. It also includes audit and risk analysis reports for institution’s assets.
Conduct a business impact analysis (BIA). Business impact analysis is the study and assessment of effects to the organization in the event of the loss or degradation of business/mission functions resulting from a destructive event. Such loss may be financial, or less tangible but nevertheless essential (e.g. human resources, shareholder liaison)
Sell the concept of BCP to upper management and obtain organizational and financial commitment. Convincing senior management to approve BCP/DRP is key task. It is very important for security professionals to get approval for plan from upper management to bring it to effect.
Each department will need to understand its role in plan and support to maintain it. In case of disaster, each department has to be prepared for the action. To recover and to protect the critical functions, each department has to understand the plan and follow it accordingly. It is also important for each department to help in the creation and maintenance of its portion of the plan.
The BCP project team must implement the plan. After approval from upper management plan should be maintained and implemented. Implementation team should follow the guidelines procedures in plan.
NIST tool set can be used for doing BCP. National Institute of Standards and Technologies has published tools which can help in creating BCP.
The following is a list of the most common strategies for data protection.
Backups made to tape and sent off-site at regular intervals (preferably daily)
Backups made to disk on-site and automatically copied to off-site disk, or made directly to off-site disk
Replication of data to an off-site location, which overcomes the need to restore the data (only the systems then need to be restored or synced). This generally makes use of storage area network (SAN) technology
High availability systems which keep both the data and system replicated off-site, enabling continuous access to systems and data
In many cases, an organization may elect to use an outsourced disaster recovery provider to provide a stand-by site and systems rather than using their own remote facilities.
In addition to preparing for the need to recover systems, organizations must also implement precautionary measures with an objective of preventing a disaster in the first place. These may include some of the following:
Local mirrors of systems and/or data and use of disk protection technology such as RAID
Surge protectors — to minimize the effect of power surges on delicate electronic equipment
Uninterruptible power supply (UPS) and/or backup generator to keep systems going in the event of a power failure
Fire preventions — alarms, fire extinguishers
Anti-virus software and other security measures
Geschrieben in general | Drucken | Keine Kommentare »
5.1.2010 von tugrik.
Just in case you don’t read slashdot… as revealed on http://seattlewireless.net/~casey/?p=13 , the Kodak EasyShare Wireless Digital Picture Frames contain a lovely security issue.
As well as displaying pictures from an SD card, you can point the device at any RSS feed and have it display the contents. You just set up a FrameChannel account using the secret code that comes with the frame, and configure the feeds accordingly. However in the Advanced Settings of this interface there’s a URL that shows a feed of everything being displayed on your frame. This is a very predictable URL, based on the device’s MAC address, So you can see what other Frame owners are downloading to their device…
…and if you look through the comments at that URL, you’ll see that a lot of “informal assessment” of the service has taken place; it’s possible to reset to activation code for frames, determine the RSS feeds used by devices that have yet to be sold… and there’s some code in the comments to do that for you too.
As “Mike” aptly put it: “So Kodak has essentially built a system for letting complete strangers (a) browse your family photos, and (b) beam shock porn directly into your living-room?”
See also http://yro.slashdot.org/story/10/01/05/0413228/Kodak-Wireless-Picture-Frames-Open-To-Public
( on a side-note I was considering another posting, refuting the comments on http://www.altaware.com/articles/pentest.html, which I stumbled across recently. In the end I decided that was best left as an exercise for the reader, as the only retort I have that won’t take me an evening to write is “you’re not very familiar with pentesting are you?” )
Geschrieben in hacking, general | Drucken | 1 Kommentar »
28.12.2009 von tugrik.
I wanted to say something, but, of course, Schneier has said it so well already…
http://www.schneier.com/blog/archives/2009/12/separating_expl.html
Seeing as the existing methods worked so well in preventing this attempt, it’s a good job they’re bringing in newer and more effective protective mechanisms….
Geschrieben in opinion, general | Drucken | 1 Kommentar »
29.10.2009 von matti.
http://www.us-cert.gov/current/index.html#blackberry_phonesnoop_application_used_to
here in full:
BlackBerry PhoneSnoop Application Used to Spy on Users
added October 27, 2009 at 11:59 am
US-CERT is aware of public reports of a new software application called PhoneSnoop. This software allows an attacker to call a user’s BlackBerry and listen to personal conversations. In order to install and setup the PhoneSnoop application, attackers must have physical access to the user’s device or convince a user to install PhoneSnoop.
US-CERT encourages users to only download BlackBerry applications from trusted sources and to password protect and lock BlackBerry devices.
Geschrieben in link, general | Drucken | Keine Kommentare »