Wireless Forensics - Tapping the Air.

This is going to be a multi part article. I found this on Securityfocus, thought it would be fun to share.


http://www.securityfocus.com/infocus/1884?ref=rss

SOX 404 SIMPLIFIED. DATABASE CHANGE MANAGEMENT

The full article can be found here .

http://www.dbazine.com/ofinterest/oi-articles/mcquade2

But here are the highlights.

Changes to the database are widely communicated, and their impacts are known beforehand.

Installation and maintenance procedure documentation for the DBMS is current.

Data structures are defined and built as the designer intended them to be.

Data structure changes are thoroughly tested.

Users are apprised, and trained if necessary, when database changes imply a change in application behavior.

The table and column business definitions are current and widely known.

The right people are involved throughout the application development and operational cycles.

Any in-house tools are maintained and configured in a disciplined way.

Application impacts are known prior to the migration of database changes to production.

Performance is maintained at predefined and acceptable levels.

The database change request and evaluation system is rational.

Turn-around time on database changes is predictable.

Any change to the database can be reversed.

Database structure documentation is maintained.

Database system software documentation is maintained.

Migration through development, test, and especially, production environments is rational.

Security controls for data access is appropriate and maintained.

Database reorganizations are planned to minimize business disruption.

Scully: SQL DB interface and Brute Forcer

Happy New Year Friends.

I would like to start off the new year blog with a flavor.

Sensepos has released a new tool today for you all, its called Scully.

Scully is a client interface to MSSQL and MySQL database servers. No more need for
MSSQL/MySQL client libraries to be installed and no more need to setup an ODBC connection either. Simply add IP/Hostname, username, password, port and database name and SQL away.

Scully also performs password brute forcing for MySQL and MSSQL, by clicking "Brute Force" a little window pops out and you simply provide a server,username, port and specify MySQL/MSSQL, then you also provide a txt file list of passwords and click "Start". Scully will quickly attempt to brute force the correct password, one also has the option to set "debug" to view the progress of the brute force.

SOX 404 Changes? How does this affect the security?

APPROVED

1. Easier for foreign companies to withdraw their securities from American markets.

2. Increase the financial qualifications for investors in hedge funds, to a net worth of $2.5 million from the current standard of $1 million.

3. The S.E.C. adopted a rule that would save corporations the expense of mailing financial reports and proxy statements by enabling them to communicate with the vast majority of their investors through the Internet. (Investors can continue to receive paper copies of proxies and other material through the mail if they request them.)

And it proposed rules that would make it easier and less costly for banks to offer brokerage services

STILL IN THE WORKS
1. Under those new guidelines, prosecutors in the field will now have to obtain permission from senior officials before trying to get companies that are under investigation to waive their attorney-client privilege.

2. In weighing whether to seek the indictment of a company, the prosecutors will also no longer be permitted to consider whether the company is paying the legal fees of an employee involved in the inquiry.

3. The changes announced by the commission on Wednesday fell short of what some companies and groups had sought. In the case of the auditing rules, for instance, many businesses had sought an exemption from the requirements of Section 404 of the Sarbanes-Oxley Act.

4. Instead of a blanket exemption, officials said, the proposed guidance would give many small companies a powerful new tool in restricting their auditors from engaging in what the executives viewed as expensive and unnecessary audits of financial controls that had minimum impact on financial statements.

5. Under the guidance proposed by the S.E.C., executives would evaluate the design of only those financial controls that might carry the risk of having a material impact on financial statements. Commission officials emphasized that the guidance is being drafted to be less onerous on smaller or less intricate companies.

ASP CMD SHELL on ASP 5.1

Interesting article was posted by Brett Moore on Security Focus this morning, on how obtain cmd shell on IIS 5.1.

As we all know such things used to exist for IIS 5.0. I havent yet tested, but this does make sense.

Here is the full link to the article.

http://www.securityfocus.com/archive/1/454268

I wanted to post the source code here, though it seems like google blogger has problems with some of the html tags.

Microsoft Threat Analysis & Modeling v 2.1

Microsoft Threat Analysis and Modeing v 2.1 was just released.

Microsoft Threat Analysis & Modeling tool allows non-security subject matter experts to enter already known information including business requirements and application architecture which is then used to produce a feature-rich threat model. Along with automatically identifying threats, the tool can produce valuable security artifacts such as:

- Data access control matrix
- Component access control matrix
- Subject-object matrix
- Data Flow
- Call Flow
- Trust Flow
- Attack Surface
- Focused reports


Those who are interested may download the tool from:

http://www.microsoft.com/downloads/thankyou.aspx?familyId=59888078-9daf-4e96-b7d1-944703479451&displayLang=en

Google Reader (100+)

Google Reader (100+)

PWDUMPX Encrypted Password Retrieval

Penetration testers this is for you!

http://reedarvin.thearvins.com/tools.html

The PWDumpX v1.0 tool allows a user with administrative privileges to retrieve the encrypted password hashes and LSA secrets from a Windows system. This tool can be used on the local system or on one or more remote systems.

If an input list of remote systems is supplied, PWDumpX will attempt to obtain the encrypted password hashes and the LSA secrets from each remote Windows system in a multi-threaded fashion (up to 64 systems simultaneously).

The encrypted password hash information and the LSA secret information from remote Windows systems is encrypted as it is transfered over the network. No data is sent over the network in clear text.

This tool is a completely re-written version of PWDump3e and LSADump2 which integrates suggestions/bug fixes for PWDump3e and LSADump2 found on various web sites, etc.

Web Application Security Professionals Survey

Here is an interesting survey conducted by Jerremiah Grossman of Whitehat Security.

http://jeremiahgrossman.blogspot.com/2006/11/web-application-security-professionals.html