Dotsecure Information Security

Wireless Forensics - Tapping the Air.

2007-01-03T11:53:00.000-08:00

This is going to be a multi part article. I found this on Securityfocus, thought it would be fun to share.

http://www.securityfocus.com/infocus/1884?ref=rss

SOX 404 SIMPLIFIED. DATABASE CHANGE MANAGEMENT

2007-01-03T11:46:00.000-08:00

The full article can be found here .

http://www.dbazine.com/ofinterest/oi-articles/mcquade2

But here are the highlights.

Changes to the database are widely communicated, and their impacts are known beforehand.

Installation and maintenance procedure documentation for the DBMS is current.

Data structures are defined and built as the designer intended them to be.

Data structure changes are thoroughly tested.

Users are apprised, and trained if necessary, when database changes imply a change in application behavior.

The table and column business definitions are current and widely known.

The right people are involved throughout the application development and operational cycles.

Any in-house tools are maintained and configured in a disciplined way.

Application impacts are known prior to the migration of database changes to production.

Performance is maintained at predefined and acceptable levels.

The database change request and evaluation system is rational.

Turn-around time on database changes is predictable.

Any change to the database can be reversed.

Database structure documentation is maintained.

Database system software documentation is maintained.

Migration through development, test, and especially, production environments is rational.

Security controls for data access is appropriate and maintained.

Database reorganizations are planned to minimize business disruption.

Scully: SQL DB interface and Brute Forcer

2007-01-03T08:35:00.000-08:00

Happy New Year Friends.

I would like to start off the new year blog with a flavor.

Sensepos has released a new tool today for you all, its called Scully.

Scully is a client interface to MSSQL and MySQL database servers. No more need for
MSSQL/MySQL client libraries to be installed and no more need to setup an ODBC connection either. Simply add IP/Hostname, username, password, port and database name and SQL away.

Scully also performs password brute forcing for MySQL and MSSQL, by clicking "Brute Force" a little window pops out and you simply provide a server,username, port and specify MySQL/MSSQL, then you also provide a txt file list of passwords and click "Start". Scully will quickly attempt to brute force the correct password, one also has the option to set "debug" to view the progress of the brute force.

SOX 404 Changes? How does this affect the security?

2006-12-15T10:07:00.000-08:00

APPROVED

1. Easier for foreign companies to withdraw their securities from American markets.

2. Increase the financial qualifications for investors in hedge funds, to a net worth of $2.5 million from the current standard of $1 million.

3. The S.E.C. adopted a rule that would save corporations the expense of mailing financial reports and proxy statements by enabling them to communicate with the vast majority of their investors through the Internet. (Investors can continue to receive paper copies of proxies and other material through the mail if they request them.)

And it proposed rules that would make it easier and less costly for banks to offer brokerage services

STILL IN THE WORKS
1. Under those new guidelines, prosecutors in the field will now have to obtain permission from senior officials before trying to get companies that are under investigation to waive their attorney-client privilege.

2. In weighing whether to seek the indictment of a company, the prosecutors will also no longer be permitted to consider whether the company is paying the legal fees of an employee involved in the inquiry.

3. The changes announced by the commission on Wednesday fell short of what some companies and groups had sought. In the case of the auditing rules, for instance, many businesses had sought an exemption from the requirements of Section 404 of the Sarbanes-Oxley Act.

4. Instead of a blanket exemption, officials said, the proposed guidance would give many small companies a powerful new tool in restricting their auditors from engaging in what the executives viewed as expensive and unnecessary audits of financial controls that had minimum impact on financial statements.

5. Under the guidance proposed by the S.E.C., executives would evaluate the design of only those financial controls that might carry the risk of having a material impact on financial statements. Commission officials emphasized that the guidance is being drafted to be less onerous on smaller or less intricate companies.

ASP CMD SHELL on ASP 5.1

2006-12-13T08:31:00.000-08:00

Interesting article was posted by Brett Moore on Security Focus this morning, on how obtain cmd shell on IIS 5.1.

As we all know such things used to exist for IIS 5.0. I havent yet tested, but this does make sense.

Here is the full link to the article.

http://www.securityfocus.com/archive/1/454268

I wanted to post the source code here, though it seems like google blogger has problems with some of the html tags.

Microsoft Threat Analysis & Modeling v 2.1

2006-12-11T08:43:00.000-08:00

Microsoft Threat Analysis and Modeing v 2.1 was just released.

Microsoft Threat Analysis & Modeling tool allows non-security subject matter experts to enter already known information including business requirements and application architecture which is then used to produce a feature-rich threat model. Along with automatically identifying threats, the tool can produce valuable security artifacts such as:

- Data access control matrix
- Component access control matrix
- Subject-object matrix
- Data Flow
- Call Flow
- Trust Flow
- Attack Surface
- Focused reports

Those who are interested may download the tool from:

http://www.microsoft.com/downloads/thankyou.aspx?familyId=59888078-9daf-4e96-b7d1-944703479451&displayLang=en

Google Reader (100+)

2006-12-04T09:45:00.000-08:00

Google Reader (100+)

PWDUMPX Encrypted Password Retrieval

2006-11-30T14:39:00.000-08:00

Penetration testers this is for you!

http://reedarvin.thearvins.com/tools.html

The PWDumpX v1.0 tool allows a user with administrative privileges to retrieve the encrypted password hashes and LSA secrets from a Windows system. This tool can be used on the local system or on one or more remote systems.

If an input list of remote systems is supplied, PWDumpX will attempt to obtain the encrypted password hashes and the LSA secrets from each remote Windows system in a multi-threaded fashion (up to 64 systems simultaneously).

The encrypted password hash information and the LSA secret information from remote Windows systems is encrypted as it is transfered over the network. No data is sent over the network in clear text.

This tool is a completely re-written version of PWDump3e and LSADump2 which integrates suggestions/bug fixes for PWDump3e and LSADump2 found on various web sites, etc.

Web Application Security Professionals Survey

2006-11-28T10:16:00.000-08:00

Here is an interesting survey conducted by Jerremiah Grossman of Whitehat Security.

http://jeremiahgrossman.blogspot.com/2006/11/web-application-security-professionals.html

AJAX Security Basics

2006-06-19T16:14:00.000-07:00

Here is a great Ajax Security article which was posted on securityfocus.com.

http://www.securityfocus.com/infocus/1868

Effective Security Enables Powerful decisions

2006-05-03T17:07:00.000-07:00

Effective Security enables Powerful decisions.

Information is NOT Power. Timely access to accurate information can give the holder the ability to make powerful decisions.

Effective Information Technology can enable the required flow of information. Inappropriate Information Security Policies, Processes, application of controls and lack of awareness can stifle Effective Information Technology. Effective Security is the corollary of this position as it's proactive and encompasses every aspect of information flow throughout an organization together with customer’s partners and suppliers.

Avoiding risk is not an option for today’s users of technology. Measuring risk and mitigating threats to a point that you are comfortable with leads to Effective Security. Everyone (and every business) has a different perception and appetite for risk. Many use risk taking as a fundamental competitive advantage.

Effective Security can facilitate Effective Information Technology thereby enabling businesses and individuals to realize their potential - doing more with less risk.

----------------------------------------------------------------------------------------
Obtained from Steve Lambs' blog http://www.blogger.com/post-create.g?blogID=14492286.

10 Security Risks to Live By

2006-05-03T14:33:00.000-07:00

1. Security is not black and white.

2: The road to least privilege is a long one.

3: Sacrificing security for compatibility is a bad idea

4: Using the Windows Power Users group is never an answer to least privilege.

5: Your enterprise is only as secure as your most- and least-technical users.

6: "Not knowing" is often your biggest exposure point.

7: If you trust a single piece of security technology to do everything, you’re making a big mistake.

8: Any vendor who claims "100% security" is probably lying to you.

9: Not deploying updates is expensive.

10: The next big thing probably won’t do it all.

Be prepared. Be proactive. Be secure.

The excerpts of this article was obtained from the May volume of Microsoft Technet Magazine. The full article can be viewed at

http://www.microsoft.com/technet/technetmag/issues/2006/05/ReduceRisk/default.aspx

Tips for Security Active Directory

2006-05-03T14:19:00.000-07:00

1. Document What You Have
2. Control Your Administration
3. Limit the Number of Administrators
4. Test Group Policy Settings
5. Use Separate Administrative Accounts
6. Restrict Elevated Built-In Groups
7. Use a Dedicated Terminal Server for Administration
8. Disable Guest and Rename Administrator
9. Limit Access to the Administrator Account
10. Watch the DSRM Password
11. Enforce Strong Password Rules
12. Protect the Service Account’s Password
13. Make Sure that Each DC is Physically Secure
14. Minimize Unnecessary Services and Open Ports
15. Make the DC Time Source Secure
16. Audit Important Events
17. Use IPsec
18. Don’t Store LAN Manager Hash Values
19. Don’t Forget Your Business Practices

This was obtained from May volume of Microsoft Technet Magazine. The full article can be obtained by visiting

http://www.microsoft.com/technet/technetmag/issues/2006/05/SmartTips/default.aspx

Overview: Application Security Testing Procedures

2006-01-27T09:34:00.000-08:00

* Understanding the product and its architecture
* Identifying possible attack vectors
* Preparation of test cases
* Vulnerability Research & Discovery
* Exploitation of vulnerabilities found
* Compilation of final security testing report
* Final discussions of bug findings and fixes

FBI: 2005 Computer Crime Survey

2006-01-19T11:29:00.000-08:00

The FBI has published their 2005 computer crime survey, with responses from over 2,000 public and private organizations located across four U.S. states.

http://www.fbi.gov/publications/ccs2005.pdf

5 Mistakes of Vulnerability Management

2006-01-18T08:51:00.000-08:00

1. Scanning but failing to act on results

2. Thinking that patching is the same as vulnerability management

3. Believing that vulnerability management is only a technical problem

4. Assessing a vulnerability without looking at the whole picture

5. Not believing in Zero day vulnerabilities.

Secure Anonymous Browsing Made Simple

2006-01-17T10:08:00.000-08:00

Anonym.OS is an OpenBSD 3.8 Live CD with strong tools for anonymizing and encrypting connections. Standard network applications are provided and configured to take advantage of the tor onion routing network.

Onion Routing is a technique for pseudonymous (or anonymous) communication over a computer network, developed by David Goldschlag, Michael Reed, and Paul Syverson. It is based on David Chaum's Mix networks, though it includes a number of advances and modifications. Among these modifications is the concept of "routing onions", which encode routing information in a set of encrypted layers.

AnonymOS is based on Tor. Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.

To download AnonymOS and browse anonymously and security visit kaos theory security project website: http://theory.kaos.to/home.html"

In summary, as wired indicated in their article Anonymity on a DiskAnonym.OS is so easy to use, that you can hand it to your grandmother and send her off on her own to the local Starbucks.

ISO 27001 Officially Published

2005-11-14T14:15:00.000-08:00

Information security is a complex area, demanding standards to address specific aspects. These are currently addressed by ISO 17799 and the emerging ISO 27001.

ISO 17799 is a code of practice for information security. It details hundreds of specific controls which may be applied to secure information and related assets. It comprises 115 pages organized over 15 major sections.

ISO 27001 is a specification for an Information Security Management System, sometimes abbreviated to ISMS. It is the foundation for third party audit and certification. It comprises 34 pages over 8 major sections.

Both standards are intended to apply to all organizations, whether commercial or otherwise, and should assist anyone with responsibility for managing information security

http://17799.standardsdirect.org/

Web Application Evaluation Criteria Released

2005-11-14T14:14:00.000-08:00

Web Application Evaluation Criteria has been released by OWASP and may be downloaded from here:

http://www.webappsec.org/projects/waf_evaluation/v1/wafec-draft-1-20051007.pdf

List of Common Web Application Problems

2005-11-14T14:08:00.000-08:00

1. Brute Force Attacks
2. Insufficient Authentication
3. Insufficient Authorisation
4. Weak Password Recovery Validation
5. Credential/Session Prediction
6. Insufficient Session Expiration
7. Session Fixation
8. Content Spoofing / Cross-Site Scripting
9. Command Execution / Buffer Overflow / OS Commanding / Format String Attack
10. LDAP Injection / SQL Injection
11. SSI Injection
12. XPath Injection
13. Directory Indexing
14. Information Leakage
15. Path Traversal
16. Predictable Resource Location
17. Abuse of Functionality
18. Denial of Service
19. Insufficient Anti-Automation
20. Insufficient Process Validation
21. NTLM Authentication Connection Sharing
22. Insecure Indexing
23. DOM-based XSS
24. Cross-Site Request Forgery
25. HTTP Response Splitting
26. HTTP Request Smuggling

Aligning IT Security with Business Goals

2005-10-10T11:02:00.000-07:00

Here is a great article from SOX Journal on how to align IT Security with Business Goals.

http://www.s-ox.com/Feature/detail.cfm?ArticleID=1070

Eight Best Preactices For User Acess Security

2005-09-19T10:12:00.000-07:00

• Implement automatic PC session locking.
• Implement login failure lockout.
• Implement strong authentication.

• Limit and monitor user sessions for any given identity.

• Provide users with the time of their last login and teach them to review it and recognize the signs of a compromise.

• Ensure the "principle of least privilege."
• Ensure that obsolete accounts are removed or disabled.
• Control hostile code.

How To Get Your Network Hacked in 10 Easy Steps.

2005-09-11T23:50:00.000-07:00

1. Run unhardened applications
2. Log on everywhere as a domain admin
3. Open lots of holes in the firewall
4. Allow unrestricted internal traffic
5. Allow all outbound traffic
6. Don't harden servers
7. Use lame passwords
8. Use high level service accounts, in multiple places
9. Assume everything is OK
10. Don't patch anything.

Common Vulnerability Scoring System v1.0

2005-08-15T10:42:00.000-07:00

To date, a number of commercial computer security vendors and not-for-profit organizations have developed, promoted, and implemented systems to rank information system vulnerabilities. Unfortunately, there is no cohesion or interoperability among those systems and they are limited in scope as to what they cover. This document proposes an open and universal vulnerability scoring system to address and solve these shortcomings, with the ultimate goal of promoting a common language to discuss vulnerability severity and impact.

http://www.first.org/cvss/cvss-guide.html

Checklist for Securing Your Wireless Networks

2005-08-15T09:10:00.000-07:00

Change the default SSID for each wireless network access point device.

Disable automatic SSID broadcast.

Turn on WEP encryption.

Research upgrading your wireless network encryption to WPA/TKIP.

Filter the MAC address of your network card.

Change all default user names and passwords for new network access devices.

Change the default IP subnet that your wireless router is preset to (192.168.1.0).

Disable DHCP IP address generation.

Implement firewall protection between the wireless network and other networks and between the wireless network and the internet

Top 5 Tools for Every Security Admin

2005-08-15T08:44:00.000-07:00

Security administrators whose intents are to secure their organization's network(s) should have these 5 tools in their tool box which are also used by well known hackers.

Nessus is the world's most popular open-source vulnerability scanner used in over 75,000 organizations world-wide. http://www.nessus.org

Nmap is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers and both console and graphical versions are available. http://www.insecure.org

NetStumbler is a tools for windows that allows you to to detect Wireless
Local Area Networks (WLANs) using 802.11b and 802.11g.
http://www.netstumbler.com/downloads

NetView is a suite of three security tools for the system administrator or home user. NetView scans IP addresses for available Windows File & Print Sharing resources, PortScan scans IP addresses for listening TCP ports, and WebBrute scans web directories that are protected with HTTP authentication, testing the strength of the users' passwords. This suite is freeware penetration analysis software that will run on your Windows workstation. http://www.rawlogic.com/netview.

Winhex is a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data rocovery, low-level data processing, and IT security. An advanced tool for everyday and emergency use: inspect and edit all kinds of files, recover deleted files or lost data from hard drives with corrupt file systems or from digital camera cards. http://www.x-ways.net/winhex/index-m.html

August 2005 Critical Microsoft Vulnerabilities

2005-08-09T14:19:00.000-07:00

Critical Vulnerabilities

Microsoft Security Bulletin MS05-038

Cumulative Security Update for Internet Explorer (896727)
Vulnerabilities exist in Internet Explorer, the most severe of these could allow an attacker to take complete control of an affected system.

Microsoft Security Bulletin MS05-039

Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588)
A remote code execution vulnerability exists in Plug and Play (PnP) that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.

Microsoft Security Bulletin MS05-043

Vulnerability in Print Spooler Service Could Allow Remote Code Execution (896423)
A vulnerability exists in the Print Spooler service that could allow remote code execution

New Domain Foot Printing Tool

2005-08-03T10:48:00.000-07:00

SpiderFoot is a free, open-source, domain foot-printing tool. Given one or multiple domain names.
It will scrape the websites on that domain, as well as search Google, Netcraft, Whois and DNS to build up information like:

Subdomains
Affiliates
Web server versions
Users (i.e. /~user)
Similar domains
Email addresses
Netblocks

Project Homepage: http://www.binarypool.com/spiderfoot/

To download the tool please visit: http://prdownloads.sourceforge.net/spiderfoot/SpiderFoot-0.01b.zip?download

Major Categories of Web Application Security

2005-08-01T14:00:00.000-07:00

Network Security Assessment: Conducting Passive and/or Active assessment using open source and commerical tools such as Nessus, Retina, Qualys to find network based vulnerabilities.

"Black-box" testing: Black Box penetration involves the security of your application(s) or network(s)without any ‘insider’ knowledge of your organization.

"White-box" testing: Performing testing with inside knowledge of the target.

Code Scanning: Scanning raw source code looking for weaknesses which may lead to potential applicaiton vulnerabilities. This process should be implimented within (SDLC) software development life cycle.

Binary Scanning: Same concept of code scanning, except using Manual and Automated tools to find vulenrabilities within compiled applications.

Database Security Assessment: Identifying potential security exposures in database via Manual and Automated tools such as WebScarab, Achilles, Acunetix Web Application Scanner etc.

Web Services Security Assessment: Web services are programatic interfaces for application to application communication. An important characteristic of web services is that the interaction will be instantaneous, since interaction will be more from application to application rather than from humans to applications. Web Services Security Assessment is ensuring all web services which are combined to interact together, interact in secure fashion.

Security Information Management Systems (SIMS): Mechanism of collecting event log data from security devices and helping users make sense of it through a common management console. SIM tools generally consist of server software, agents installed either on servers or security devices, and a central management console.

Intorudction to TCP Wrappers

2005-08-01T13:35:00.000-07:00

TCP Wrappers works by interposing an additional layer, or wrapper, between client and server. This article looks at how this package can be used to enhance the security of a networking system.

http://lue.dyn.dhs.org/2005/20050726164809.html

Enjoy!

TRIKE - A CONCEPTUAL FRAMEWORK FOR THREAT MODELING

2005-08-01T13:21:00.000-07:00

Trike is a unified conceptual framework for security auditing from a
risk management perspective through the generation of threat models
in a reliable, repeatable manner. A security auditing team can use it
to completely and accurately describe the security characteristics of
a system from its highlevel architecture to its low-level
implementation details.

http://www.net-security.org/dl/articles/Trike_v1_Methodology_Document-draft.pdf

Minimum Security Requirements For Federal Information Systems

2005-08-01T10:18:00.000-07:00

NIST have put a draft paper on minimum security requirements for federal information systems. You may find the PDF version of the document on the NIST site: http://www.csrc.nist.gov/publications/drafts/FIPS-200-ipd-07-13-2005.pdf

"Specifications for Minimum Security Requirements", is probably the most useful portion of the document starting on page 2. The document covers 17 areas of importance to Information Security, ranging from (AC) Access Control to (SI) System and Information Integrity.

Definately is worth to take a look at.

Free Fault Injection Test Tools

2005-07-14T15:08:00.000-07:00

WebScarab (HTTPush, Exodus)
Paros Proxy
Burp Spider
Burp Proxy
SPIKE Proxy
SPIKE
Achilles Proxy
Odysseus Proxy
Webstretch Proxy
Absinthe
NGS SQL Injection Inference Tool
Sensepost Wikto (Google cached fault-finding)
Foundstone Sitedigger (Google cached fault-finding)
Athena (SnakeLabs)

Web Application Security Resources

2005-07-14T11:39:00.000-07:00