Wednesday, June 23, 2010

OpenDNS creates FamilyShield service

OpenDNS: Introducing FamilyShield Parental Controls

Previously to this, you had to sign up for an OpenDNS account, which could be a bit confusing and challenging for a regular home user.  To quote OpenDNS' Facebook comment: Its a "pre-configured, no-account-required way to use OpenDNS, with adult site blocking, phishing and malware protection on by default." 

OpenDNS is a great service.  It hasn't gotten more press, because there's only so much you can do with DNS, meaning you can do content filtering on individual URLs.  Unfortunately, that's going to be an issue no matter what, though, because other content filtering solutions won't filter out individual YouTube videos, individual MySpace profiles or other social networking / content sites.  OpenDNS is fast, effective and efficient.

I've put it on my kids' machines and its easy to get a whole house set up by simply configuring your router to point to the OpenDNS servers. 

FamilyShield’s IPs are:

In the words of Tony the Tiger, "Its great!".


Friday, June 18, 2010

Follow up: the script that harvested iPad owners' email addresses

Praetorian Prefect | 114,000 iPad Owners: The Script that Harvested Their E-mail Addresses

If you're even curious about how someone could write something to take advantage of a web site, like AT&T's and their recent iPad owner email address debacle, Praetorian Prefect got a hold of and subsequently published the code that was used to harvest 114,000 email addresses of iPad owners.

While I'm not a developer, I have a lot of respect for those that are.  Reading through this, even if you're not a developer, you can see how it works.


Thursday, June 17, 2010

How you can tune IIS to help with SQL injection issues

Given all the press around SQL injection and IIS sites recently, I thought I'd cover the topic.

The first thing to do is grill your vendor about the security of their product.  Ask them if they have processes in their development team to check for opportunities for SQL injection.  Ask them if they've had their application systematically tested using one of the many source code scanners.  Ask them if they've had a third party validate their application, or if they've had a penetration test done.  These same things could be used for an internal development team to ensure code and applications that end up being published to the Internet, or internally(!), are protected from attacks of this nature.

While there isn't much press for SQL injection on internal web applications, think about how damaging those could be?  Is there a web-based database internally that, if compromised or published on the Internet, would lead to damage to your reputation or, even, compromise your clients accounts?  Its worth checking to see if your internal apps have SQL injection issues too.

This link I ran across might be helpful for people running IIS.  Even if you have apps that you have no control over, you may be able to prevent SQL Injection through tuning IIS.  How IIS can help with SQL Injection

As a side note, I've also used software-based application firewalls, like eEye SecureIIS, to help protect applications running on IIS.

What have you done that's worked to prevent issues with your IIS-hosted applications?


Tuesday, June 15, 2010

The end of the Mac is near? iOS devices king

This recent Newsweek article "R.I.P., Macintosh" has me thinking about whether Apple is going to continue to release new laptop and desktop hardware as well as their (now) "classic" operating system, OS X.  The author, Daniel Lyons, makes a great point by saying that Apple has entirely ignored any of their traditional hardware platforms in favor of updates to the iPhone, release of the iPad and shifting consumer focus to their mobile operating system by renaming it then calling a press conference to discuss it. 

I hope for the best and fear the worst, but suspect that there could be an exit strategy here for Apple.  Shifting their focus to their proprietary devices (sound familiar) and away from the hardware and software that have become largely commodity gives Apple the ability to keep tight control over everything that goes onto their systems.  No longer do they need to be associated with Open Source, no longer do they need to be associated with standard Intel processors and motherboards.  They can double their efforts into making proprietary hardware with proprietary operating systems.

I'm not excited about it.


Thursday, June 10, 2010

iPad owners' iTunes email accounts exposed iPad owners' iTunes email accounts exposed

1) Find AT&T web site that shows iPad user info
2) Guess the "secret" numbers for iPad SIM cards
3) Write script to do this over and over, really fast
4) Profit!

The lesson learned isn't necessarily the obvious ones of writing secure code, or authenticating people to a web site.  The lesson here is DON'T ASSOCIATE YOUR PERSONAL STUFF WITH YOUR WORK EMAIL!  Sheesh.  Why do people do this?  Keep work email for work and keep personal email for personal things, including your freakin' iPad.  Email address are cheap and easy. 

Managing two email addresses isn't hard either.  Really, its not.  Don't try to convince me that it is.  Use the tools you have available to you and creat filters, create rules, unsubscribe from and resubscribe to things and get it done.  This kind of thing will continue until people separate work and personal technology use out.  It puts you at risk and it puts your company at risk, just like this. 


Wednesday, June 9, 2010

New IIS / ASP.NET hack...114,000 sites!

securi: Mass Infection of IIS ASP sites -

According to securi via Google searches, there's 114,000 sites that have been hacked in the last day, all pointing to malware hosted at  "it looks like a SQL injection attack against a third party ad management script."  If you can't get into the site itself, hack the third party app that's putting code on these sites too.  Clever but not unexpected. Be very critical of the third-party apps you use on your site, including advertisers.


Monday, June 7, 2010

Test drive: LastPass for IE / Firefox / Windows Mobile / Android A closer look at LastPass

I've been using LastPass for a bit now and have been pretty pleased with both the security model and the capabilities of the tools they provide.  I have to agree, though, that its not for the technically challenged because there's little help to understand the user interface or the whole package.   LastPass can be confused by a site, for example, asking you to save things under similar names of other sites you've already saved, but lets talk about the software and then we'll get into the issues.

First thing to understand is that LastPass is designed as a major enhancement to the functionality of what web browsers already have built into them, password saving functionality for web sites you visit as well as storing other information you'd use on the web in a secure manner.  There are several nice things about how LastPass does it, however.
  • available on tons of mobile devices, web browsers and operating systems including IE, Firefox, Chrome and mobile devices (mobile devices are part of Premium services, $12/yr at this time)
  • your web site / password database is synced across all platforms
  • all passwords are encrypted on the local system, so no passwords are stored at, just the encrypted bits
  • stores shopping "profiles", as I'll call them, including your shipping and credit card information, if you choose to keep it there
All that being said, however, LastPass is not a direct replacement for something like eWallet, KeePass or Password Safe, which are all designed to manage lots of tidbits of information.  I have used all three of those products before LastPass and found eWallet most to my liking because it would allow me to easily store and categorize things like SSNs, VINs from my vehicles, frequent flier numbers, gym locker combinations, etc, into one application and storage place.  LastPass is geared almost exclusively to web sites and only has one option to store "Secure Notes" for absolutely anything else.

Testing LastPass on 2 mobile devices, Windows Mobile 6.5 and Android 2.1, the mobile UI needs some help too, although all my information was there, so I guess I can't complain too much.  The automatic web-fill options are not available on mobile platforms because they don't have the browser hooks for add-ons that are available on full-fledged PC platforms.

In the end, I have mostly migrated my eWallet information to LastPass.  I had several, several things that didn't import correctly, but upon emailing technical support, they had a developer contact me directly and we worked over several email dialogs to resolve issues with the import  of the eWallet export file.  eWallet is a lot more polished, but doesn't offer a toolbar to generate and capture passwords/logins.  I hope LastPass improves through interest/development.  There's a lot of promise here.


Sunday, June 6, 2010

Guess what? New patch for Flash, Acrobat and Reader

This just in yet another vulnerability and therefore another update for Flash ...AND... Acrobat and Acrobat Reader.  Another day, another issue with one of the pieces of software that gets installed on systems within the first wave of software installs (Office, Firefox, Flash, Acrobat, etc .)  Maybe its time to look for alternatives to Acrobat Reader for PDF files.


Friday, June 4, 2010

Default Database Passwords Still In Use - DarkReading

Default Database Passwords Still In Use - DarkReading

In my experience, developers and database administrators are the first to not be exited about good information security practices, so this article does not surprise me at all.  I've been thinking of figuring out how to write a nessus module and make sure the Oracle default passwords are all included.  I should double check the ones that are already in it, but I know there's room for improvement, for sure.


Employees Put Personal Security, Interests Above Company's, Survey Says - data leak prevention/Security - DarkReading

Employees Put Personal Security, Interests Above Company's 

Surprise, surprise.  The lesson here is that if IT doesn't answer the needs of its customers, namely the employees, the employees will turn on them and start to create their own "creative" solutions.  The only way to make an enterprise truly secure is to make sure that people are also involved in protecting the data.  The only way to do this is to meet their needs, or at least listen to them, as well as making sure yours are also satisfied.


Thursday, June 3, 2010

New Mac malware - OSX/Onionspy

SANS: New Mac malware - OSX/Onionspy

Yes, as Macs become more popular, malware is going to be written for them.  Two more things that make this even more interesting is in the comments of this SANS Diary article.  #1) it would seem to detect and remove it you have to buy the anti-virus software of the company that discovered the malware.  #2) the last comment seems to indicate that the makers of the malware have read the SANS Diary article and are stating that more malware for Macs is going to be released soon.  Not trying to spread rumors, fear or panic, but maybe its about time to start investing in anti-virus for your Mac.


Facebook “joke” leads to firing.

SANS: Facebook “joke” leads to firing:
About: Firing Dispatcher for Facebook drug joke

This is a sign of the times.  When social networks and off-of-work comments lead to trouble at work.  There is some sage advice from Marcus Ranum (writer of firewalls and legendary IDS products) who said recently "If you don't want to make something public don't blog, facebook, tweet, or otherwise publicly announce it! Three people can keep a secret if two of them are dead and nobody has published it
on the Internet for all their 'friends' to see."


SPAM pretending to be from Habitat for Humanity

SPAM pretending to be from Habitat for Humanity

Now this is just sad, but unfortunately, crooks will try anything to launder the money, including impersonating a reputable, good charity.  They're not trying to ask for your donations, they're trying to get you to receive money and then send it back the crooks.

This is inline, however, with what the crooks are focusing on these days.  Finding ways to move the money they've gathered through renting out botnets or the like, and getting it to them without their real names being used.  In the middle is unsuspecting "money mules" that receive money from one source and are willing to send it out to someone else.  The "mules" can believe they have, technically, not done anything wrong, but are then accessories to a crime.


Wednesday, June 2, 2010

Technology News: Community: Should Hacking Be Encouraged?

Technology News: Community: Should Hacking Be Encouraged?

What makes geniuses smart?  What makes a child successful at learning new things?  I'd argue that they're good at recognizing and learning new patterns.  Think about it a little.  Humans are, by nature, pattern matching machines.  Something happens, we learn from it, it happens again, we react the same or differently based on whether the result was desirable or not.  This is true in life and in learning.  I've found the most clever people in the world seem to be adept at learning new systems and then using all that built up knowledge about how things work to extend existing "patterns" into new patterns, new ideas, new products, new systems.  Hacking is simply a way to understand a pattern of something and see if some of the other "patterns" of breaking things apply, hopefully, leading to a new product or system that doesn't fail in those conditions.

Even if we're talking about "hacking" in the "clever manipulation of something to do something other than its original intended purpose", we should encourage the process of thinking outside the box and coming up with something new, interesting and creative, albiet in a legal way. :-)


Hacking The Security Infrastructure - DarkReading

Hacking The Security Infrastructure - DarkReading

It is interesting to note that now we've moved from hacking OSes, to hacking applications, to hacking security consoles.  This goes to show that you can find security holes in just about anything.  You can't assume that anything is secure, by default, or within a single protection mechanism.  The key is "defense in depth" and separation of key user and management systems.  There's no way to protect yourself 100%, but you should make it challenging to get to those management systems that are monitoring and/or maintaining the security infrastructure of the organization.


Coincidentally, when looking for an image to use for this post, I ran across a different discussion of hacking the physical infrastructure in Linux Journal that's an easy, thought provoking, 1 page read.

Tuesday, June 1, 2010

protecting data, by not having any

CNET: A world without records...

This article raises an interesting point that should be considered when considering a data retention plan.  Why keep the data in the first place?  I can understand regulatory efforts, certainly.  Keep what you need to keep, but if you don't fall under these requirements, don't keep what you don't need to keep.

I worked with a company a while back that had a policy of deleting off emails that were older than 90 PST excuses.  Seems an elegantly simple solution and one that isn't asked often enough.

Maybe we're just "collectors" by nature, and we need to learn to be able to "uncollect", for our own good.


A SANS tutorial on computer forensics, Part 1

SANS Computer Forensics Blog: Part 1 Organized Chaos and Panic

I was fortunate enough to be able to take the SANS SEC508 class a couple years ago and thoroughly amazed at what I learned, not only from a technical level, but from the stories that Rob Lee could tell us from his experience.  Now, through the SANS Computer Forensics blog, you can get an overview of how to do some of the same things that we did in class in lab exercises.  When I took the class Helix was still free, but I suspect the Pro version has more capabilities too.

During class, Rob Lee and others had talked about the books at the left. I have purchased them and am working on reading through them.  So far, both are excellent resources.


Capture files via SMB with Wireshark!

Taddong Security blog: new plug-in for Wireshark

I'm going to have to try this on my home network.  Wireshark is one of the great tools that you can never spend too much time in.  There's tons of options and capabilities, now just to figure out how and when to use them all.  I have heard from reputable sources (former coworkers that I'd be happy to have a beer with), that the book on the left is the one to get if you really want to understand how to use Wireshark.  I may be visiting Amazon soon... :-)