3/22/09

Cisco Router Black hole filtering

Black hole filtering is a technique usually used by service providers for traffic filtering without applying access-lists.

The technique is very useful in mitigation of many types of DOS attacks. The idea behind Black hole filtering is very simple; just define the traffic you want to discard and configure a static route pointing to the Null0 interface.

The following rules summarize the technique:

  • Define the suspected traffic by destination.
  • Configure static route pointing this destination to null0.
Black hole filtering is based on the destination address of the packet.
Packets directed to the Null interface are just discarded.
Static routes to the Null0 interface use the same rules of normal static routes (redistribution, AD, etc..).

Example:

!-- packets destined to 195.226.123.200 disarded
ip route 195.226.123.200 255.255.255.255 null0

!-- Disable ICMP unreachable packets
int null0

no ip unreachables



3/17/09

Barada Open source Two Factor Authentication system

Perhaps you occasionally find it necessary to access your email or login to a remote server from a computer that is not your own. The problem, of course, is that it is often unwise to type your password into computers that are not under your control. Terminals at libraries, internet cafes, or maybe even your less-careful friend's houses could be running keystroke loggers.

There are existing solutions for this, of course. The two obvious choices are a One Time Password system (like S/Key or OTPW) or a Two Factor Authentication system (like RSA SecureID or CryptoCard). We don't like the OTP option because it requires that you carry a list of passwords around with you, there can be logistical problems if you get to the end of your list while you're still traveling, and you have to type your constant "prefix" for each OTP into untrusted computers. So we prefer two factor authentication because there is the security of two factors (something you have and something you know) and it solves the keystroke logging problem in a more convenient way (no lists, no out of date information, no typing of anything but a temporary access code into untrusted computers).

Ironically, then, the problem with systems like SecureID or CryptoCard is that they're often not convenient. They cost money to license, the hardware costs money, and they're difficult to maintain. You have to setup a dedicated Solaris machine with RADIUS support just to deploy SecureID, which isn't really great for someone with a small setup.

And that's why we wrote this. Barada turns your phone into a two factor authentication device. It's an implementation of the HOTP protocol in the form of a PAM module (the server) and an Android applicaton (the client).

Basically, in addition to a normal password, users are also assigned a PIN number and a 128 bit key. Every time you'd like to login using two-factor authentication, you open up the Android application, type in your PIN number, and get back a six character one time password that you can then use to authenticate remotely. The PIN number is not stored on the phone, and the the OTP can only be used exactly once. Thus, the loss of the phone does not result in leaked passwords, and the capture of an OTP does not result in remote access.

This module can be installed above the normal authentication module in the PAM stack, so at any moment you can either use your normal password or Barada's two-factor authentication interchangably. Sitting at a trusted computer, you might choose to quickly type in a password, while you might choose to use two-factor authentication when using a non-trusted or public computer.

Download :- Barada

sslstrip

This tool provides a demonstration of the HTTPS stripping attacks. It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial.
To get this running:

Flip your machine into forwarding mode.
Setup iptables to redirect HTTP traffic to sslstrip.
Run sslstrip.
Run arpspoof to convince a network they should send their traffic to you.

Link:- SSLStrip

sslsniff

This tool was originally written to demonstrate and exploit IE's vulnerability to a specific man-in-the-middle attack. While Microsoft has since fixed the vulnerability that allowed leaf certificates to act as signing certificates, this tool is still occasionally useful for other purposes. It is designed to MITM all SSL connections on a LAN, and dynamically generates certs for the domains that are being accessed on the fly. The new certificates are constructed in a certificate chain that is signed by any certificate that you provide.

For a long time this was still useful in its original context with the default certificate that was provided, as certificates that were generated by non-singing certificates that were expired would trigger a click-through warning in some browsers which indicated the certificate in question was expired, but not that the whole certificate chain was completely invalid. These days some browsers, specifically Firefox 3, are more heavy-handed.

It is useful for deploying other vulnerabilities as well, some of which are public knowledge. This is the tool that the people who pulled the recent MD5 hash collision publicity stunt used to demonstrate MITM attacks with their rogue CA-certificate.

The three steps to get this running are:
Download and run sslsniff-0.5.tar.gz
Setup iptables
Run arp-spoof

WifiZoo Passive inforamtion gathering tool

WifiZoo is a tool to gather wifi information passively. I wanted to do something wifi-related somewhat helpful in wifi pentesting and I did this just to have fun after I discovered 'Ferret' from Errata Security. I know neither Ferret or WifiZoo do anything spectacular, but I thought that the idea was fun/useful anyways.

I basically wanted something that I could run and tried by itself to get info from open wifi networks (and possibly encrypted also in the future, at least with WEP :)) without joining any network, and covering all wifi channels, and this is what I came up with so far. Its written in python, I can modify it easily, and it fulfills its not-very-ambitious purpose. Kudos to scapy for doing pretty much all the packet parsing for me (scapy is great).

WifiZoo does the following:

-gathers bssid->ssid information from beacons and probe responses *(now the graph contains the ssid of the bssid :), new in v1.1)*
-gathers list of unique SSIDS found on probe requests (you can keep track of all SSIDS machines around you are probing for, and use this information on further attacks)*new in v1.1*
-gathers the list and graphs which SSIDS are being probed from what sources *new in v1.1*
-gathers bssid->clients information and outputs it in a file that you can later use with graphviz and get a graph with "802.11 bssids->clients".
It gathers both src and dst addresses of packets to make the list of clients so sometimes you get weird graphs that are fun to analyze :) (basically, because I still need to omit multicast dst addresses and things like that). Using the dst address means that sometimes you get mac addresses of wifi devices that are not near you, but I think gives you information about the wifi 'infrastructure', again, I think :).
-gathers 'useful' information from unencrypted wifi traffic (ala Ferret,and dsniff, etc); like pop3 credentials, smtp traffic, http cookies/authinfo, msn messages,ftp credentials, telnet network traffic, nbt, etc.-and I think that's it.

Link:- Wifizoo

3/16/09

Special IP Addresses

There are a few special IP addresses on the Internet which are used . only under special circumstances:

The limited-broadcast IP address.
The limited-broadcast IP address is 255.255.255.255. This special IP address is most commonly used during system setup, when the system has little idea about its own IP address and subnet address. It is also seen quite often in the routing tables of various systems. Keeping in mind IP routing, packets addressed to this address are never forwarded by routers.

The network-directed broadcast IP address.
This special IP address has the host part made up of all 255s, with its network part the same as that of the network to which it is applicable. A typical example is 202.255.255.255, where the network part of the , IP address is 202 and the remaining part is the host-address part. Routers usually forward packets addressed to a network-directed I broadcast address.

The subnet-directed broadcast IP address.
In such an IP address, the host part of the address is represented by 255s, whereas the subnet part of the address stands for an actual subnet.

All-subnets-directed broadcast IP addIess.
Here, both the host and the subnet part of the address are represented by 255s. The subnet mask of the network must be known wherever such an address is being used.

The loopback IP address.
This special IP address stands for the localhost system. A packet addressed to the loopback address is actually addressed to the same local machine from which it originated. In effect, both the source and destination IP addresses point to the same system, though their values might be different. All loopback addresses must have the network part as 127; ; the most commonly used loopback address is 127.0.0.1.

The zeros IP address.
Typically, the 0.0.0.0 IP address is used as the zeros IP address. Such an IP address is mostly seen in a system's log files. If you see packets being sent from the zeros IP address, it means that an attacker is trying to fingerprint the target system (that is, the system where the log files were examined).

3/8/09

The Six Most Promising Security Startups of 2008

Looking for the latest hot technologies in security? So are the judges of the annual Global Security Challenge, a contest designed to help seek out and identify the most promising startups in the industry.

Yesterday, the GSC judges announced the six finalists for the award, which will be announced on Nov. 13. The winner will get a $500,000 grant in cash and mentorship from venture capitalists, courtesy of the Technical Support Working Group of the U.S. government.

Some of these technologies seem more useful to a the Green Berets or the CIA than to the average enterprise. However, there are some emerging IT technologies in the list as well. Take a gander at this year's finalists -- and start thinking about your entry for 2009.

1. Beyond Encryption
This Irish company has built and deployed an enforcement tool for remote information security. It enables an organization to take an offensive approach and pursue any device and its data, putting either or both beyond the use of the current user. It is the first precision information protection weapon with pinpoint accuracy for targeting and protecting sensitive information on any device regardless of location.

2. Brain Fingerprinting Laboratories
Based in Seattle, this startup has developed a "brain fingerprinting" technology. This humane, non-invasive, and accurate scientific technology detects concealed information in the brain that can be used for interrogations of criminal suspects (yes, really). It can also detect Alzheimer's disease and measure advertising effectiveness.

3. Hiperware
This Singapore upstart has developed a real-time decision-making software that leverages cluster computing power for analyzing enterprise processes to actively identify errors and monitor process effectiveness.

4. Intuview
Based in Israel, this startup has developed a multi-engine “artificial intuition” software for real-time categorization, summarization, and intelligence extraction from large batches of documents in Arabic, relating to the domain of Islam and terrorism with the goal of creating a capability to interpret the hermeneutics of radical Islamic and terrorist related texts without the need to have well versed Arabic literate analysts on hand.

5. Precision Sensors Instrumentation
This Armenian company invented a single-layer, flat-coil-oscillator absolute-position sensor that enables users to do more accurate prediction of earthquakes and detection of armed activity in zero visibility settings.

6. TRX Systems
A spinoff from the University of Maryland, this emerging company has achieved a technological breakthrough for tracking first responders both outdoors and within complex structures. The TRX system is self-contained and requires no pre-existing infrastructure and can even create virtual floor maps in real time.

When Dates Attack

If you thought clicking on a URL in an email was dangerous, try going out on a date these days.
According to a report published yesterday in the Australian newspaper The Age, some single men have found some of their most sensitive information exposed recently on a new class of "alert" sites that let women warn their peers about men who turned out to be bad dates or boyfriends.

U.S.-based sites such as dontdatehimgirl.com and datingpsychos.com allow women to post warnings about men they've dated, according to the report. Some women have gone as far as to publish the addresses and phone numbers of their "exes," along with detailed descriptions on their personal flaws and mistakes.

The anonymous postings leave the "losers" with no legal recourse, because claims of abuse or defamation can only be made when the offenders can be positively identified. In a sample case described in the report, a man tried to take legal action, but was denied because the women he accused of doing the postings flatly denied making them.

The sites themselves cannot be sued because of U.S. law which states that information services providers are not responsible for content posted by their members. As a result, sites such as dontdatehimgirl.com can continue to operate without fear of legal action, the report states.

No word yet on whether there will soon be a similar site for men who want to warn others about the women they go out with. Until then, date carefully.

— Tim Wilson, Site Editor, Dark Reading

Compliance Costs Increasing

Now that most organizations are fairly deep into their compliance efforts, you'd think that the heavy lifting was over and the cost of compliance would be dropping off. Unfortunately, according to a new study, you'd be wrong.

According to an independent study on compliance costs released today by CA, almost half of the companies surveyed reported an increase in their compliance project spending, rather than a decrease.

In a study of some 575 enterprises worldwide, nearly 45 percent of respondents reported an increase in the time and monetary resources required to ensure compliance with 13 regulations and industry standards found in countries around the world.

In North America, 41 percent of organizations reported the introduction of new regulations as a reason for increasing compliance expenses. In Asia Pacific, where J-SOX was recently enacted, this number was significantly higher at 55 percent, the report states. Europe and Central/South America reported 40 percent and 29 percent, respectively.

Changes to existing regulations also were reported as a cost-raising factor by 49 percent of North American and Central/South American organizations, by 39 percent of Asia Pacific businesses, and by 34 percent of European organizations, CA says.

The study also showed that most of the respondents rely on manual processes to achieve compliance, although manual processes and a lack of centralized control are "a recipe for spiraling costs," the report says. More than two thirds of the respondents said they maintain information about the status of their IT compliance controls in multiple spreadsheets, and often within different organizational units.

“This survey verifies what we regularly hear from customers -- that compliance remains a big challenge for them in both direct cost and impact to business processes, and that the issue grows with every regulatory change or addition,” said Lina Liberti, vice president for CA Security Management.

— Tim Wilson, Site Editor, Dark Reading

WiFi Availability Explodes, But Many Networks Remain Insecure

WiFi access is more pervasive than ever -- but secure wireless access can still be hard to find, a new study said today.

According to a report on WiFi access trends published today by RSA, WiFi access continues to grow at a breakneck pace. The number of wireless access points has increased by 543 percent over the past year in Paris alone, the study says. London has more than 12,275 WiFi hotspots.

However, the security of these access points continues to be an issue. More than half of the hotspots in New York and London were found to be protected only by the now-discredited Wired Equivalant Privacy (WEP) standard, or by no encryption at all, RSA reported.

"Such is the speed at which WEP can be routinely cracked that it barely constitutes paper-thin protection in the face of today's sophisticated hackers," says Sam Curry, vice president of identity and access assurance at RSA. "We would strongly urge wireless administrators to discount WEP as a viable security mechanism and upgrade to WPA [WiFi Protected Access] -- or stronger -- without delay."

Many of the wireless access points found in the study were in-home networks, RSA reported. In London, there are more personal wireless access points than corporate WAPs, the study says
Ref: - Tim Wilson, Site Editor, Dark Reading

Hack Simplifies Attacks On Cisco Routers

A security researcher has discovered a method of hacking Cisco routers with only basic knowledge about the targeted device.

Although researchers have found various vulnerabilities in Cisco routers, exploits mostly have been focused on hacks of specific IOS router configurations, which require targeted and skilled attacks. But Felix "FX" Lindner, a researcher with Recurity Labs, demonstrated last week at the 25th Chaos Communication Congress in Berlin a technique that lets an attacker execute code remotely on Cisco routers, regardless of their configuration.

"The bottom line is that before, all IOS exploits had to know the exact IOS image running on the target to get code execution. This is approximately a 1 to 100,000 chance, [and] a professional attacker doesn't risk his 0-day exploit when the odds are stacked against him like that," Linder says. "I [demonstrated] that at least on one group of Cisco routers, there is a way to execute code without knowing the IOS image version [they are] running."

Lindner says his exploit method is independent of a router vulnerability, and applies only to stack-buffer overflow bugs. He was able to execute memory writes and to disable CPU caches on Cisco routers running on the PowerPC CPU. Lindner hasn't yet tested his technique on larger, more expensive Cisco routers, but plans to do so eventually.

Security researcher Dan Kaminsky says FX's hack disproves conventional wisdom in enterprises that routers are at low risk of attack, and that patching them is riskier than an attack due to the potential network outages that patching can incur.

The research also broke the barrier of one exploit, one router: "Three-and-a-half years ago it was international news that one guy got one exploit working on one Cisco router," he says. "Today, it's now clear that it's possible, given a flaw in IOS, to reliably exploit many versions of many routers.

"Something we thought was difficult, for no good reason, is now shown to be so very simple after all," Kaminsky says.
Lindner says his research shows that detection of Cisco IOS attacks should be focused on the payload of an exploit, such as a backdoor program, rather than on the exploit itself.
To protect against a widespread router attack, Cisco should encourage users to run more standard versions of IOS, as well as make IOS more modular to simplify patching for its customers with customized versions, Kaminsky says.

The bottom line is that enterprises need to change their tune when it comes to their IOS patching policy. When a remote-code execution bug is discovered in one of their routers, they should treat it like any other system vulnerability, Kaminsky says. "They should treat it as equivalent to a vulnerability against sensitive servers or domain controllers, and act accordingly," he says. And that may require working closely with Cisco on just how to do that, he adds.

Ref:- Presentation

WarVOX suite for advanced War Dialer

WarVOX is a suite of tools for exploring, classifying, and auditing telephone systems. Unlike normal wardialing tools, WarVOX works with the actual audio from each call and does not use a modem directly. This model allows WarVOX to find and classify a wide range of interesting lines, including modems, faxes, voice mail boxes, PBXs, loops, dial tones, IVRs, and forwarders.

WarVOX provides the unique ability to classify all telephone lines in a given range, not just those connected to modems, allowing for a comprehensive audit of a telephone system.

WarVOX requires no telephony hardware and is massively scalable by leveraging Internet-based VoIP providers. A single instance of WarVOX on a residential broadband connection, with a typical VoIP account, can scan over 1,000 numbers per hour. The speed of WarVOX is limited only by downstream bandwidth and the limitations of the VoIP service. Using two providers with over 40 concurrent lines we have been able to scan entire 10,000 number prefixes within 3 hours.

The resulting call audio can be used to extract a list of modems that can be fed into a standard modem-based wardialing application for fingerprinting and banner collection. One of the great things about the WarVOX model is that once the data has been gathered, it is archived and available for re-analysis as new signatures, plugins, and tools are developed. The current release of WarVOX (1.0.0) is able to automatically detect modems, faxes, silence, voice mail boxes, dial tones, and voices.

For More inforamtion:
WarVOX 1.0.0

3/5/09

LetDown TCP Flooder, ReverseRaider Subdomain Scanner & Httsquash HTTP Server Scanner Tool

An interesting collection of tools for pen-testing including a DoS tool (something you don’t often see publicly released).

Complemento is a collection of tools that the author originally created for his own personal toolchain for solving some problems or just for fun. Now he has decided to release it to the public.

LetDown is a TCP flooder written after the author read the article by fyodor entitled article “TCP Resource Exhaustion and Botched Disclosure“.

ReverseRaider is a domain scanner that uses brute force wordlist scanning for finding a target sub-domains or reverse resolution for a range of ip addresses. This is similar to some of the functionality in DNSenum.

Httsquash is an HTTP server scanner, banner grabber and data retriever. It can be used for scanning large ranges of IP addresses and finding devices or HTTP servers (there is an alpha version of a GUI for this).

You can download Complemento v0.4b here:
complemento-0.4b
Or read more here.

Web Mail Auth Tool For Testing Web Mail Logins

WMAT is Web Mail Auth Tool that provide some essential functions for testing web mail logins, written in python with support of pyCurl.

How it works?
It is very simple, You give WMAT file with usernames, file with passwords, URL of web mail app and chose pattern for attack. Patterns are XML files that define post/get fields, http method, referer, success tag, etc … for each web mail applications.

There are currently patterns for horde, squirrelmail, kerio and mdaemon web mail.
The XML pattern files look like this:

--- horde.wmat.xml ---


horde_user
horde_pass
login.php
sidebar.php
post



ivan.markovic@netsec.rs

-----------------------


The author of WMAT requests for help from the community with the patterns, the author of the pattern will be credited in the author field of the XML file.

There are some more options like setting timeout (time between each request), bell on success and option for writing output in file. More can be seen in the Readme file here.
For future versions the following additions are planned:
using a proxy
special addon for generation of usernames/passwords
automatic recognizer of web app
You can download WMAT here:
wmat.zipPython source.
Or read more here.

SSLstrip - HTTPS Stripping Attack Tool

This tool provides a demonstration of the HTTPS stripping attacks that was presented at Black Hat DC 2009. It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial. For more information on the attack, see the video from the presentation on the homepage.

To get this running:
  • Flip your machine into forwarding mode.
  • Setup iptables to redirect HTTP traffic to sslstrip.
  • Run sslstrip.
  • Run arpspoof to convince a network they should send their traffic to you.
  • That should do it.
How does this work?

First, arpspoof convinces a host that our MAC address is the router’s MAC address, and the target begins to send us all its network traffic. The kernel forwards everything along except for traffic destined to port 80, which it redirects to $listenPort (10000, for example).

At this point, sslstrip receives the traffic and does its magic.
You can download sslstrip 0.2 here:
sslstrip-0.2.tar.gz
Or read more here.

3/3/09

Big Issue- The Never Expiring Password

It seems that many if not all IT Auditors, CSOs, and IT security staff, live daily with the fear of the “never expiring password” being exposed. It is the unspoken taboo – the wide open back door in every corporate network today. It is virtually certain that there is not a single business critical application in your company that isn’t wide open. Do you ever wonder how it is that information such as credit card details, personal data, intellectual property, seems to always be so vulnerable. You would think that companies had adequate security precautions to stop this happening, and yet it continues to be a problem.

So where is this wide open back door? In every one of your applications.

When, for example, a user accesses a web based application through a Portal, behind the scenes an awful lot of activity takes place to present the information to the user. This information is stored on systems and databases in your organisation. In order to access these resources, the Portal uses service accounts created on the systems to access the data.

The challenge of securing, managing and sharing the service accounts becomes a major overhead issue for IT departments and application managers in your organisation. The Service Account Passwords that enable applications to communicate with each other must also be managed as they present one of the biggest security backdoors.

In order for these applications to get access to data, they have to “logon” to the systems and applications that store the data, and since the credentials to logon are in the application, they are embedded in the code. Now since it is clearly impractical to rewrite applications on a regular basis, just to change the user ID and password, the result is that the user ID and password never changes. So what’s the big deal you might ask? Well there are a number of things.

Firstly you have the problem of the never expiring password on a system which is accessible by administrators and anyone else who might have privileged access to a system. The problem is more acute when a company is relying on hosting services from a third party. Your applications are accessing valuable business critical data thousands of times a day, using the same user ID and password. In fact there might very well be hundreds of applications all accessing using the same credentials. And since the applications do not have any integrated security such as VPN technology, the passwords to these accounts are often stored in clear text (not encrypted), thus becoming visible to developers, support staff and anyone that has access to the application code.

Secondly because these passwords are often hard coded within the applications/scripts, a reset of a Service Account password becomes a complex process involving changes to application code, compilation, and in some cases a long process of transferring the code from development to QA to production. In some cases this change might result in or require downtime for the application, a scenario that is unacceptable in cases of confidential information.

Thirdly auditing is virtually impossible. Because the credentials that are embedded in the application, although in theory only accessible to the application they can actually be used by any developer who has access to the code. So if for example a person was to log in using the credentials, it would be impossible to discover this through a simple audit check.

Finally the most serious aspect of this is that this user ID and password is known by developers and support staff and can be used for personal access to the resources. And in many cases today those credentials are know by off-shore developers who have been contracted to develop the applications for your organisation. So access to your business data is ultimately in the hands of developers who may be thousands of miles away.

It is likely that your organisation has gone to unprecedented efforts to secure your access as a user, using all kinds of innovative technology from tokens to digital certificates, and at the same time forgetting or possibly choosing to ignore that unauthorized personnel including ex-employees, MSP staff, off-shore developers, have the keys to open up your most valuable assets.The good news is that there are solutions available that will allow you to once and for all face up to this unspoken taboo and eliminate this threat.

The solution is digital vaulting technology. It means that no organisation today needs to feel a sense of being exposed to risks in this area. Regardless of the platform, the technology is available today to ensure that all your applications will never again require the never expiring password, but the first step in solving the problem is to face up to the unspoken taboo in your organisation and do something about it.

Beware the Default Password

During the course of a recent security audit I was rather surprised to find a critical system still running with a default password. The default password has long been the bug bear of many the security admin. At the same time it has been the savior of many of us at one stage or another, desperately locked out from that system, urgently requiring access, and no clue as to what the password is, or might be.

The default password is generally installed by the manufacturer, most often on hardware devices such as routers and wireless access points, but also by software application developers and even on some operating systems, although this is becoming less and less commonplace. The default password exists to allow an administrator initial access, for setup and configuration, and you are generally forced, or at least you should be, to change the password to something more complicated as the configuration advances. Unfortunately, this is not a step that everyone takes.

Worse again, there have been numerous accounts of software and hardware products that have 'undocumented' administrative accounts installed. So, even if you took the conscientious step of removing or changing what you thought was the default, you may still be exposed. Take Oracle for example. Pete Finnegan, the self-confessed master of all things Oracle, maintains a web page devoted to the Oracle default password. At the last count, there are more than 600 unique accounts in his list. Mr. Finnegan has some interesting views on how many of these accounts come about to be created in the first instance. He says some "are created by Oracle itself when the database is created. For instance the accounts SYS and SYSTEM, DBSNMP and OUTLN are often created by default when a database is created. If the database is created by using the wizard the problem can be much bigger with 10s 0r 20s of accounts being created simply as part of the database creation".

It is also the case that further Oracle default users can be created when third party software is installed for use such as BAAN or SAP. The same issues of default users being added to the database can occur when third party development or maintenance tools are added such as TOAD or PL/SQL Developer. An excellent tool that will scan your Oracle implementation for signs of default accounts can be downloaded here. If your organization uses Oracle, there is a strong chance that you will be susceptible.

As recently as February this year, researchers at the University of Indiana published reports that show how attackers could take over your home router using malicious JavaScript code. All is required is for the default password to be in place. Once the router has been compromised, victims can be redirected to fraudulent Web sites, the researchers say. So instead of downloading legitimate Microsoft software updates, for example, they could be tricked into downloading malware. Instead of online banking, they could be giving up sensitive information to phishers. At the heart of the problem is the fact that consumer routers ship with simple, well-known default passwords, like "admin," which could be exploited by attackers. "Owners of home routers who set a moderately secure password - one that is non-default and non-trivial to guess - are immune to router manipulation via JavaScript," the paper states.

It is easy to lay some of the blame on the door of the manufacturer. They could be accused of shipping product with poorly configured security settings. Lets face it; it is not hard for them to force the user to change the initial configuration password. But that alone is not enough. What about the 'undocumented' password, the one that you don't even know about?

There are resources available on the Internet that allows you to audit your network devices and software applications. This should be performed as part of your yearly audit schedule. A simple Google search for 'default password list' yields hundreds of sites that claim to have the most comprehensive database of default passwords. One of the oldest, and still reliable, can be found here. It makes for some interesting reading and is regularly updated.Whatever the organization, whatever the choice of software or hardware vendor, the default password is likely to raise its ugly head from time to time. Be proactive and get scanning. You will be amazed at what you may find.

Advanced Encryption Standard by Example

The following document provides a detailed and easy to understand explanation of the implementation of the AES (RIJNDAEL) encryption algorithm. The purpose of this paper is to give developers with little or no knowledge of cryptography the ability to implement AES.

Download the paper in PDF format here

Reducing Shoulder-surfing by Using Gaze-based Password Entry

Shoulder-surfing – using direct observation techniques, such as looking over someone's shoulder, to get passwords, PINs and other sensitive personal information – is a problem that has been difficult to overcome. When a user enters information using a keyboard, mouse, touch screen or any traditional input device, a malicious observer may be able to acquire the user’s password credentials.

EyePassword, a system that mitigates the issues of shoulder surfing via a novel approach to user input. With EyePassword, a user enters sensitive input (password, PIN, etc.) by selecting from an on-screen keyboard using only the orientation of their pupils (i.e. the position of their gaze on screen), making eavesdropping by a malicious observer largely impractical.

This paper contains a number of design choices and discusses their effect on usability and security. We conducted user studies to evaluate the speed, accuracy and user acceptance of our approach. Our results demonstrate that gaze-based password entry requires marginal additional time over using a keyboard, error rates are similar to those of using a keyboard and subjects preferred the gaze-based password entry approach over traditional methods.Download the paper in PDF format here.

Data encryption & Tokenization Truths

Data encryption truths
Truth 1: If you encrypt data and lose the encryption key, the data is lost forever. There is
no way to get it back.
Truth 2: If you encrypt data and don!t control access to the keys, you haven!t secured the
data at all.
Truth 3: The fewer places you store the sensitive data, the better.

Tokenization truths
Truth 1: While field sizes increase when encrypting data; token size can follow the same
size and format of the original data field.
Truth 2: Using tokens in place of actual credit card numbers or other sensitive data can reduce
the scope of risk by limiting the number of places ciphertext resides.
Truth 3: Tokens can be used as indexes in key table relationships within databases, while
ciphertext cannot.
Truth 4: For instances where employees do not need to see the full encrypted value, using
mask-preserving token values in place of encrypted data reduces the scope of risk.
Truth 5: There is one-to-one relationship between the data value and token throughout
the enterprise, preserving referential integrity.

The fewer places you store the sensitive data, the better. Token server attributes and best practices Tokenization provides numerous benefits to organizations that need to protect sensitive and confidential information. Fortunately, token servers that support best practices are emerging to make it easier for enterprises to implement tokenization.

Look for a token server with the following attributes:
• Reduces risk - Tokenization creates a central, protected data silo where sensitive data is
encrypted and stored. Using a token server should greatly reduce the footprint where sensitive
data is located and eliminate points of risk.
• No application modification - Token servers generate tokens that act as surrogates for
sensitive data wherever it resides. Tokens maintain the length and format of the original
data so that applications don!t require modification.
• Referential integrity - Token servers enforce a strict one-to-one relationship between
tokens and data values so that they can be used as foreign keys and so referential integrity
can be assured whenever an encrypted field is present across multiple applications and data sets.
• Control and flexibility - The best token servers will give IT complete control of the
token-generation strategy. For example, the last four digits of the data can be preserved in
the token, allowing the token to support many common use-cases.
• Streamlines regulatory compliance - A token server enables organizations to narrow
the scope of systems, applications and processes that need to be audited for compliance
with mandates such as PCI DSS.

Source:-  InSecure & nuBridges

Free fuzzing utility for Oracle database applications

Sentrigo announced FuzzOr, an open source fuzzing tool for Oracle databases designed to identify vulnerabilities found in software applications written in PL/SQL code. The new utility allows PL/SQL programmers, database administrators (DBAs) and security professionals to
identify and repair vulnerabilities that may be exploited via SQL injection and buffer overflow attacks—the most common techniques used by malicious hackers to launch attacks on databases.

FuzzOr runs on Oracle database versions 8i and above to identify coding errors. A dynamic
scanning tool, FuzzOr enables DBAs and security pros to test PL/SQL code inside Oracle-stored
program units. Once vulnerabilities are detected by FuzzOr, a programmer can then repair the
PL/SQL code.

Download : https://www.sentrigo.com/register_for_fuzzor.htm

3/2/09

Ip Anonymous Web Surfing Tools 16in1

The following program will help you in anonymous web surfing. The program is a combination of all anonymous surfing softwares and thus are available at one place. So friends, maintain your online privacy and security by anonymous web surfing...without leaving any trace. No need to search internet for fast proxy. Just download the file from rapidshare.

Ip Anonymous Surfing Tools 16in1-------------------------------------------
01 #1 Anonymous Proxy List Verifier 1.1
02 Anonimity 4 Proxy2.8
03 Charon 0.6
04 Get Anonymous 2.1
05 GhostSurf Platinum 2007
06 Hide ip Platinum 3.42
07 Hide The Ip 2.1.1
08 Invisible Browsing 5
09 IP Switcher Professional 1.01.12.0
10 MultiProxy v1.2
11 NetConceal Anonymity Shield 5.2.059.02
12 Proxy Switcher Standard 3.7.2.3913
13 Proxygrab 0.6
14 proxyway extra v3.2
15 SmartProxyHelper 1.5
16 Steganos Internet Anonym 2006 v8.0.1

All keys, cracks, patchs are included. NO PASS.Size: 61 MBDownload Ip Anonymous Surfing Tools 16in1 here:http://rapidshare.com/files/106569928/IP_Anonymous_Surfing_Tool_16in1_.rar

Anonymous web surfing with Ultrasurf

If any of you are banned from forums or any other internet group, or wanted to bypass Rapidshare unlimited download,or bypass school firewall to access sites like Myspace.com, orkut.com or any other sites or the basic thing...want to surf web anonymously without leaving any trace, then this post is for you. In this post, i have mentioned a software used to surf anonymously. The advantage of this software "Ultrasurf" is that it automatically searches for free public fast proxy servers and you just have to start the program. Once, you have started, your IP address is changed by Ultrasurf automatically...

So, if you are in search of fast proxy servers for assigning proxy to your browser....Stop searching. Just download Ultrasurf and start surfing anonymously.

Ultrasurf is totally free software used to surf anonymously. It is better than any other anonymous browsing software. Infact, it searches for 3 fast proxy servers, assigns percentage(%) indicating speed of proxy servers and we can choose any of three.

Download Ultrasurf from UltraReach site or from here

How to Change JKS KeyStore Private Key Password

Use following keytool command to change the key store password >keytool  -storepasswd  -new [new password ]  -keystore  [path to key stor...