Friday, January 12, 2007
Most important when securing a Windows system
No 1, make sure you have the latest security related patches installed
No 2, make sure you have strong passwords on all your password protectes services.
No 3, make sure you take down all unecessary running services, uninstall if possible
No 4, have a local firewall running on your system, don't be satisfied with a $99 dollars hardware router/firewall for protection. And if you have the skills, apply outgoing packet filters to, not just the inbound traffic.
Many home users have one or more computers behind their own firewalled ADSL, Fiber or whatever they might be using. To ensure that even more security, the systems that sits on your local area network (LAN) you might have to have access rules between your systems. For example, if one of your machines gets infected and tries to spread malicious code, your other systems might survive if there is not any trust between these systems. Like firewall rules, different subnets, access lists in the switch etc.
In the end, it is always up to us, the users and administrators of the system to do our best to protect our data. The computer only performs the task we have programmed them for.
Tuesday, January 09, 2007
Microsoft Updates for December 2006
Here is a list of the latest security related patches from Microsoft.
• | MS06-072 - addresses a vulnerability in Microsoft Internet Explorer (KB925454) |
• | MS06-073 - addresses a vulnerability in Microsoft Visual Studio (KB925674) |
• | MS06-074 - addresses a vulnerability in Microsoft Windows (KB926247) |
• | MS06-075 - addresses a vulnerability in Microsoft Windows (KB926255) |
• | MS06-076 - addresses a vulnerability in Microsoft Windows (KB923694) |
• | MS06-077 - addresses a vulnerability in Microsoft Windows (KB926121) |
• | MS06-078 - addresses a vulnerability in Microsoft Windows Media Player (KB923689 and KB925398) |
• | MS06-059 (re-release) - addresses a vulnerability in Microsoft Office (KB924164) |
Thursday, April 20, 2006
Macintosh. Half a million new users by the end of 2006?
Most likely these new buyers comes from the Microsoft Windows platform.
Of the 154.000 sold Macintosh computers the last quarter, 50% of the buyers are new customers. If these sales continues, Macintosh will have about 500.000 new users by the end of this year.
One theory to the increased sales of Macintosh computers, might be that users now can
use Windows, and Windows applications on the Macintosh computer. So those who hesitated
before, now "dares" to try the Macintosh hardware.
Wednesday, April 05, 2006
Password Best practices, Weakest Link?
My educated guess would be default passwords, or just weak or easy guessable passwords. At least if an intruder/hacker manages to break in to one system, with users privileges, he/she will have a smorgasbord of encrypted passwords to try and
break.
I am not the first one to report about the importance of using more complex passwords
for users, and administrators. A minimum of 8 characters, and it should be a mixture of alpha, numeric and special characters.
If an intruder manages to break in to a network, and get hold of a hash of encrypted passwords (pwdump Active Directory, or the shadow file on a Unix system), he/she will most likely try and brute force it, to get the cleartext passwords. So if one or two or three out of a hundred passwords is weak, < 8 characters, the operation to get the first cleartext password is just seconds or minutes away.
He/she can then most likely also re-use this password to get further into the network, as users and administrators tend to use the same password on many different
systems. An administrator might even have a user account with the same password for his admin account. This is something an intruder will try and figure out for sure.
So if you just add some extra strength to your passwords, and try to not re-use passwords, this little effort will enhance the overall security of your network a great deal.
Examples of strong passwords could be;
8 characters
WK.yr)29
C=DkW1LF
r1[PK1J[
12 characters
~0nf!I(Kch\1
20 characters
lVcvuy?R3nAOF%?dOf~u
If you need help storing all your passwords in a good and secure way. Try Password Safe. It's free, and it's a million times safer to store your passwords encrypted with Passwords Safe or equivalent, then on paper or using weak passwords.
Link to Password Safe 3.0
Password Safe runs on PCs under Windows (95/98/NT/2000/XP). An older (but fully functional) version is available for PocketPC. Linux/Unix clones that use the same database format have also been written (see Related Projects).
Wednesday, March 15, 2006
Secure deletion of files in windows, DoD method.
Chaos Shredder installs smoothly and is very easy to use. You just right click on any file or directory you want to delete, and Chaos Shredder overwrites the data according to DoD standards. DoD = Deparment of Defense.
Chaos Shredder is a free tool, and can be downloaded from here.
Tuesday, March 14, 2006
Microsoft Security Bulletin MS06-012
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (905413)
Microsoft has release it's latest Security Bulletin.Severeal remote code execution vulnerabilities has been reported and rated as critical.
The vulnerabilities affects;
Microsoft Office 2000 Service Pack 3
Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 1 or Service Pack 2
Microsoft Works Suites
Microsoft Office X for Mac
Microsoft Excel 2004 for Mac
Read the complete Microsoft Bulletin here.
Tuesday, March 07, 2006
Vista Backdoor Rumours
Developers at MS dissmisses suggestions that Microsofts Vista should contain have a
backdoor feature. The purpose with the backdoor feature was supposedly to give the long arms of the
Police access to encrypted files, that others would have been very hard to access.
A Microsoft spokeswoman declared earlier this week.
"Windows Vista is engineered to be the most secure version of Windows yet". It is our goal to ensure enterprise users have full control over information on their PCs Microsoft has not and will not put 'backdoors' into Windows, its BitLocker feature, or any other Microsoft Products."
End Of File and Story
Technorati Tags: microsoft vista, rumours, backdoor, dissmissed, developer, spokeswoman, encryption
Del.icio.us Tags: microsoft vista, rumours, backdoor, dissmissed, developer, spokeswoman, encryption
Extreme Exploits Review
Editorial Reviews
Book Description
Protect your network and web sites from malicious attacks with help from this cutting-edge guide. Extreme Exploits is packed with never-before-published advanced security techniques and concise instructions that explain how to defend against devastating vulnerabilities in software and network infrastructure. This book will give a detailed analysis of modern threats and their solutions along with a checklist for developing defenses at the end of each chapter. You'll also be introduced to a winning methodology for custom vulnerability assessments including attack profiling and the theatre of war concept. Through in-depth explanations of underlying technologies, you'll learn to prepare your network and software from threats that don't yet exist. This is a must-have volume for anyone responsible for network security.
From the Back Cover
Protect your network and web sites from malicious attacks with help from this cutting-edge guide. Extreme Exploits is packed with never-before-published advanced security techniques and concise instructions that explain how to defend against devastating vulnerabilities in software and network infrastructure. This book gives you detailed analyses of modern threats and their solutions along with checklists for developing defenses. You’ll also be introduced to a winning methodology for custom vulnerability assessments including attack profiling and the theatre of war concept. Through in-depth explanations of underlying technologies, you’ll learn to prepare your network and software from threats that don’t yet exist. This is a must-have volume for anyone responsible for network security.
- Secure your critical domain name system (DNS) infrastructure
- Ensure reliable Internet connectivity amidst a myriad of attacks
- Implement effective intrusion detection and prevention technologies
- Prevent e-mail abuse using advanced filtering, encryption, and other methods
- Stop data theft and egress exploitation by altering packet filtering rules
- Defend against viruses, worms, bots, Trojans, and other malicious code
- Use IP sinkholes and backscatter analysis to trap and gain knowledge from scanning and infiltration attempts
- Secure wireless networks using a variety of technologies
- Create a customized vulnerability assessment methodology for your organization
- Use proven digital forensics techniques to investigate attacks
- Learn to protect your software from little-known vulnerabilities
About the Authors: Victor Oppleman is an accomplished author, speaker, and patent-holder in the field of network security and a specialized consultant to some of the world’s most admired companies. His open source software is used by thousands of engineers worldwide. Oliver Friedrichs is a Senior Manager in Symantec Security Response, the organization responsible for the delivery of anti-virus definitions, intrusion detection updates, and early warning technologies within Symantec. Mr. Friedrichs also co-founded SecurityFocus and Secure Networks. Brett Watson has 17 years experience in networks and security for some of the world’s largest Internet Service Providers and enterprise networks. He holds a patent for one of the first large-scale content distribution platforms known as Hopscotch.
Monday, March 06, 2006
Security and pen-test tool for windows users.
During my years working with IT security, I have used hundreds and hundreds of tools for penetration test and security scans. The tools and scripts have been of varying quality, and the small list I have made here, is some of the top of the line tools, according to me. This is just a fraction of all the tools out there.
Port Scanning tools
nmap (network mapping)
Processes, Files, Operating Systems, System Calls etc.
Sysinternals
Excellent tools for digging in your operating system. Monitor processes, network, files. Psmon, PsExec,
PsTools, SDelete, PsInfo, PsLoggedOn, RootkitRevealer v1.7, ShareEnum v1.6 and much more. A goldmine for IT security people. Want to know what a virus, trojan or worms moves are? Check out
http://www.sysinternals.com/ for tools.
Vulnerability scanner
NessusWX Nessus win32 client.
This is a good start. Remember, these are just tools, and you will have to know TCP/IP and how an operating system works, to get the full value out of the tools. Read the README files and documentation,
before you start.
Encrypting files, directories and hard drives.
Well, that should be easy to determine. All you computerized work equipment for starters.
PDA (Personal Data Assistant) Palm, Pocket PC, Treo, your smartphone, laptop and workstation. Even your USB memory, flash cards and other portable storage devices you use. Imagine losing your laptop and PDA at the airport. The agony of not knowing what vital information you just left exposed to anyone that gets hold of your devices. Encrypt your data, and you will at least eliminate everyone from accessing your files and data. Encryption does not represent 100% security for your files and information, but it will make many times harder, even for professional IT security experts to force. And amateurs, will most likely not care to try, it just to hard.
One free product that I like, is TrueCrypt.
TrueCrypt
has been around for some years, and it is free as in opensource on-the-fly encryption.
Provides two levels of plausible deniability, in case an adversary forces you to reveal the password:
1) Hidden volume (steganography – more information may be found here).
2) No TrueCrypt volume can be identified (volumes cannot be distinguished from random data).
Encryption algorithms: AES-256, Blowfish (448-bit key), CAST5, Serpent, Triple DES, and Twofish.
Mode of operation: LRW (CBC supported as legacy).
Tuesday, February 07, 2006
Possible Vulnerability in Microsoft Windows Service ACL
UPnP NetBT SCardSvr SSDP
Microsoft has investigated the PoC (prof of concept) and summarizes.
Users who run Windows XP Service Pack 1 and Windows Server 2003 Gold may be at risk, but the risk to Windows Server 2003 users is reduced.
Recommendation: Review the suggested actions and configure services ACLs as appropriate. Install Windows XP Service Pack 2, Windows Server 2003 Service Pack 1 to help protect against this vulnerability.
Access rights of concern.
The FILE_ALL_ACCESS privilege allows a user to completely control a file, including read, write and execute privileges.
The FILE_APPEND_DATA privilege allows a user to add data to a file.
The FILE_WRITE_DATA privilege allows a user to write and rewrite data to a file.
Registry key permissions of concern.
Registry Keys
Users with WRITE_DAC or KEY_SET_VALUE permissions can modify registry keys that specify executables, DLLs, and/or Globally Unique Identifiers (GUIDs).
The WRITE_DAC privilege allows a user to change permissions on an object, potentially granting themselves further permissions.
Microsoft Security Advisory
Stick around, this could get interesting.
Mozilla Firefox 1.5.0 exploit code
is out. QueryInterface() Remote Code Execution has been released as a part of the metasploit framework, so update to Firefox 1.5.0.1 now! Check out Ghostzilla too.
The invisible browser. Built on Mozilla, and it has the ability to blend with other applications, such as Microsoft Word, and Internet Explorer.
Ghostzilla
You can even get hold of the source code, so If your a hardcore browser geek, compile
it from scratch! :-)
Better to be surfing safe than having a "owned" machine.
Friday, February 03, 2006
Highly Critical Mozilla Firefox vulnerabilities, Upgrade now!
7 more vulnerabilities found in Mozilla Firefox 1.5. If your Firefox has not automatically updated to version 1.5.0.1, you should upgrade manually. Firefox 1.5.0.1
Possible Impact
Security Bypass
Cross Site Scripting
Exposure of system information
Exposure of sensitive information
System access From remote
Fixed in Firefox 1.5.0.1
MFSA 2006-08 "AnyName" entrainment and access control hazard
MFSA 2006-07 Read beyond buffer while parsing XML
MFSA 2006-06 Integer overflows in E4X, SVG and Canvas
MFSA 2006-05 Localstore.rdf XML injection through XULDocument.persist()
MFSA 2006-04 Memory corruption via QueryInterface on Location, Navigator objects
MFSA 2006-03 Long document title causes startup denial of Service
MFSA 2006-02 Changing postion:relative to static corrupts memory
MFSA 2006-01 JavaScript garbage-collection hazards
List of known vulnerabilities in Mozilla products
Technorati Tags:
firefox 1.5.0, firefox 1.5.0.1, vulnerability, upgrade, mozilla, Integer overflows, Localstore.rdf XML injection through XULDocument.persist(), Memory corruption via QueryInterface on Location, Navigator objects, JavaScript garbage-collection hazards
Wednesday, February 01, 2006
Nmap 4.0 released. Review here.
Nmap, one of the most popular, and best (my opinion) Network Mappers has reached version 4 today. Nmap is a free Network Mapper and has a range of nice pen-test features. Both as a traditional command line tool $ nmap -v -A target_host, and with a GUI (Graphical User Interface). I came in contact with nmap back in 1999, version 2.x something, and it's has been my companion ever since.
Nmap is perfect if you want to make certain what ports you are exposing, and what
services that are running. I always use nmap to make a last check before I plug a new
machine online. This is good common practice, even if you are only going online with your home office machine.
Installation example from a Linux box.
[user@mimir INCOMING]$ tar -zxvf nmap-4.00.tgz
(Extract the compressed tarball, the *.tgz is
gzip and tar:ed, so you will need the Z before gz, or gunzip the tarball first and the use # tar -xvf
to extract all the files.
Next step is to cd (change directory ) into the source dir of nmap.
[user@mimir INCOMING]$ cd nmap-4.00
[user@mimir INCOMING]$ ./configure (Run the configure script, using the default options first)
You will see a great deal of output echo:ed to your terminal.
If all goes well, you should be ready to compile nmap.
checking for pkg-config... /usr/bin/pkg-config
checking for GTK+ - version >= 2.0.0... yes (version 2.4.13)
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
configure: creating ./config.status
config.status: creating Makefile
[user@mimir INCOMING]$ make (make command to compile the source into executable binaries)
This can take some time, depending on your computers resources, but on 1 GHz with 512 RAM, about 3-4 minutes top.
If you want nmap to be installed in /usr/local/bin you will need root privileges.
If that is the case (congrats) you just type # make install as user root. ( su - command to switch to user root)
Here is sample output from an nmap scan of localhost (127.0.0.1) the loopback interface.
[user@mimir INCOMING]$ ./nmap -v -sT localhost
Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-02-01 20:44 CET
Machine 127.0.0.1 MIGHT actually be listening on probe port 80
DNS resolution of 0 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 0, CN: 0]
Initiating Connect() Scan against localhost.localdomain (127.0.0.1) [1672 ports] at 20:44
Discovered open port 443/tcp on 127.0.0.1
Discovered open port 21/tcp on 127.0.0.1
Discovered open port 80/tcp on 127.0.0.1
Discovered open port 3306/tcp on 127.0.0.1
The Connect() Scan took 0.46s to scan 1672 total ports.
Host localhost.localdomain (127.0.0.1) appears to be up ... good.
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1667 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
443/tcp open https
3306/tcp open mysql
Nmap finished: 1 IP address (1 host up) scanned in 0.949 seconds
Remember!, Nmap is a powerful tool, and should be used with care. I have seen hosts ( I will not mention what OS) that has taken a nose dive, after being scanned by nmap. (This is of course not the purpose of nmap, but it could happen). So don't go off scanning a production environment before
you know for sure what will happen on the scanned hosts.
Ok, may nmap force be with you!
One final note. If you have seen Matrix 2, reloaded, you have seen nmap in action. Trinity used it to target some host in the movie.
Nmap is free and open source and source code for *nix, Windows and MacOS is available.
Download Nmap here
Technorati Tags:
nmap, network mapper, scan, port, tcp, udp, stealth, fyodor, insecure.org
http://nordstrommarna.mine.nu/article.php/nmap_version_4_review
Online pen-test tools. How secure are your clients/servers
Online pen-test tools
traceroute - print the route packets take to network host
Uses the IP protocol time to live field and attempts to elicit an ICMP TIME_EXCEEDED response from each gateway along the path to some host.
(shows all the routers hops between host A to B. Useful for problemshooting network
problems, mapping network infrastructure etc.. On Unix/Linux systems you can use traceroute with the -I flag, which is an ICMP flag. Traceroute uses UDP packets by default. As UDP (User Datagram Protocol)is a stateless protocol, and with low priority for routing protocols. This means that the if the load between
two networks are heavy, the routers will drop the traceroute UDP packets with ease.
[salt@mimir ~]$ /usr/sbin/traceroute -I host_to_traceroute Version 1.4a12
Usage: traceroute [-dFInrvx] [-g gateway] [-i iface] [-f first_ttl]
[-m max_ttl] [ -p port] [-q nqueries] [-s src_addr] [-t tos]
[-w waittime] [-z pausemsecs] host [packetlen]
Online Traceroute can be found here
Online Perimeter and Content Scanning
Linux Sec Dot Net.
Lots of online tools, Use with care, abuse is and will not be tolerated.
Online port scanners, nessus scanners, dns scanners, apache scanners, firewall testers, open relay tests,
virus scanners and much more..
Technorati Tags:
traceroute, TIME_EXCEEDED, udp, icmp, tcp, elicit, ip, protocol, network, hops, router,
Technorati Tags:
online, pen-test, tools
http://nordstrommarna.mine.nu/article.php/online_pen-test_tools_2006_02_01
Tuesday, January 31, 2006
Blackworm CM-24. File deletion has begun according to F-Secure
(Disgruntled former co-worker?)
So dig out the blackworms before Februari 3, and keep your files intact. Most of the leading anti-virus software (updated ones) can clean this worm out or/and check out bitdefenders removal tools. Removal Tools
Technorati Tags:
Blackworm, Nyxem, Nyxem.A, Overwrite, DDoS
Winamp, Extremely Critical Vulnerability Reported
If you have Winamp version 5 or lower, (Check the splash screen or about in on the players menu) you should really consider an upgrade immediately.
Secunia reports a Winamp Computer Name Handling Buffer Overflow Vulnerability.
Secunia
As the exploit (the code hackers use to attack systems) is out in the wild, and
is most likely being used as you read this. So upgrade now to version 5.13, if you don't want
any unwanted guests on your PC.
Winamp 5.13 Here
Go go go!
Specially crafted play list on malicious website might use this code to gain access/comprimise users systems.
Technorati Tags:
secunia, winamp, vulnerability, upgrade, exploit, remote access, 5.13,