Wednesday, February 27, 2008

Programs Incompatible with Vista SP1

Microsoft Releases List of Programs that Won't Work with Vista SP1
Microsoft Corp. today released a list of known programs that experience some sort of "loss of functionality" with Windows Vista SP1.

As of press time, the products are:


Blocked from Starting

Do Not Run

Loss of Functionality


As Vista SP1 was released to manufacturing and IT professionals this month, the list may grow -- especially after the update goes live for consumers in March.

TROJAN VIRUS now targetting PDA

McAfee: Trojan targets Windows Mobile by ZDNet's Larry Dignan

McAfee has unearthed a Windows Mobile PocketPC Trojan that disables security, installs via a memory card, can’t be uninstalled and makes itself your home page.

According McAfee’s Avert Labs blog, the Trojan has been discovered in China. Here’s how it works according to researcher Jimmy Shah:

WinCE/InfoJack sends the infected device’s serial number, operating system and other information to the author of the Trojan. It also leaves the infected mobile device vulnerable by allowing silent installation of malware. The Trojan modifies the infected device’s security setting to allow unsigned applications to be installed without a warning.

The Trojan was packed inside a number of legitimate installation files and distributed widely. It has been distributed with Google Maps, applications for stock trading, and a collection of games.

Considering the penetration of mobile devices in Asia this malware could raise quite a ruckus.

Shah reckons that WinCE/InfoJack was created by a web site that may have hired a hacker to create the malware and then distribute it. The Trojan installs as an autorun program on the memory card, installs itself when that memory card is inserted and can’t be deleted. It also becomes your home page.

Tuesday, February 26, 2008

Firekeeper

Turn FireFox into an Intrustion Detection System

Firekeeper is an Intrusion Detection and Prevention System for Firefox. It is able to detect, block and warn the user about malicious sites. Firekeeper uses flexible rules similar to Snort ones to describe browser based attack attempts. Rules can also be used to effectively filter different kinds of unwanted content.Features of Firekeeper include:
  • Ability to scan HTTP(S) request URL, response headers and body, and to cancel processing of suspicious requests

  • Encrypted and compressed responses are scanned after decryption/decompression

  • Privacy friendly - no data is send to external servers, all scanning is done on the local computer

  • Very fast pattern matching algorithm (taken directly from Snort).

  • Interactive, verbose alerts that give an ability to choose a response to detected attack attempt.

  • A detailed view of suspicious response headers and body

  • Event logging

  • Ability to use any number of files with rules and to automatically load files from remote locations

Download the newest Firekeeper release. Note: This is an alpha release which main purpose is to get feedback from users about Firekeeper's functionality and to test if Firekeeper works well on various different systems.

After installing visit a page with some tests, Firekeeper should display an alert for every link on this page.

Sunday, February 24, 2008

DB2 Security

DB2 security best practices

With the escalating number of publicized system security breaches, administrators must constantly be on the lookout for security holes in their systems so that their company does not become the next public embarrassment. Security is a large topic, and can be applied at various levels in a system architecture. Today my post will be focusing on twelve security best practices that database administrators (DBAs) and developers can follow to ensure the highest level of security in DB2® for Linux®, UNIX®, and Windows®. These practices should complement other proactive security measures being applied at the other system levels.

A number of reports detailing wide-ranging system security breaches have been at the forefront of the news in the past couple of years. Typically, sensitive personal data such as Social Security Numbers (SSNs), credit card numbers, and bank account numbers are stolen from insecure systems, resulting in identity theft, financial fraud, or other unauthorized use of the information. As a result, system administrators must constantly be monitoring their systems and ensuring appropriate security precautions are taken.

Security can be applied at different levels of a system architecture. For example, a firewall might be installed to prevent unauthorized server access from outside of the network. A secure network protocol technology such as IPSec might be used to secure the communication channel between computers on a network. A strict password policy might be put in effect that requires users to select a strong password and change it on a frequent basis. Database-level security measures including authentication and authorization might also be used to enhance application security.

In this post, twelve security best practices for DB2 for Linux, UNIX, and Windows are mentioned. They focus specifically on elements that can be controlled from a database administration and programming standpoint, and do not include other security technologies or policies that might also be applicable on a wider system scale. The best practices are not listed in any particular order, but rather, all of them are equally important, as they all contribute toward the overall security level of your DB2 data server.

  1. Revoke implicit authorities and privileges from PUBLIC

  2. Use explicit values for the SYSxxx_GROUP parameters

  3. Track implicit privileges

  4. Do not grant unnecessary privileges

  5. Use an encrypted AUTHENTICATION mode

  6. Use orphan IDs to create and own objects

  7. Use views to control data access

  8. Use stored procedures to control data access

  9. Use LBAC to control data access

  10. Prevent SQL injection in applications

  11. Apply the latest DB2 fix packs

  12. Perform random security audits

If, you would like to read in detailed about each best practices mentioned above please visit: DB2 Database Security

Friday, February 22, 2008

Facebook Vulnerability

Exploitation of the Facebook ImageUploader Vulnerability

As seems to be the trend lately, anytime a vulnerability is disclosed in an ActiveX control, it is only a short time before it is bundled into the Web attack toolkits. For this Facebook vulnerability, it was less than a day from the vulnerability being disclosed on February 12th.

So far, the exploits that have shown up are encoded versions of the
public exploit, bundled with an exploit for Yahoo Jukebox and several other routinely exploitable vulnerabilities.

Oddly enough, this Facebook exploit kit is being served from a MySpace phishing site, though unsurprisingly, hosted on a numbered .cn domain. Detections for this attack will be as “Facebook Photo Uploader 'ImageUploader4.1.ocx' FileMask Method ActiveX Buffer Overflow Vulnerability” for NAV/NIS 2008 products. Since this attack toolkit includes several other exploits, detection may also fall under the individual exploits depending on the vulnerable products installed.

Other products will detect this attack as
Downloader.Trojan.

Thursday, February 21, 2008

EXPLOIT-Me

Another Excellent Firefox Plugin..

Exploit-me is a FireFox plugin which is developed to ease penetration testings via web browser. Exploit-me is currently developed to exploit 2 types of web application vulnerabilties, which are SQL injection and XSS.

For more information about download links, please visit this page.

Other related reviews:
Yamwool’s, (IT)gossips’s, derossi’s.

unix-privesc-check

Unix Misconfigurations Checker

Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2). It tries to find misconfigurations that could allow local unprivilged users to escalate privileges to other users or to access local apps (e.g. databases).

It is written as a single shell script so it can be easily uploaded and run (as opposed to un-tarred, compiled and installed). It can run either as a normal user or as root (obviously it does a better job when running as root because it can read more files).


Download

unix-privesc-check v1.0 can be downloaded
here.

Usage

The download is gzip'd, so gunzip it. Upload it to the server you're auditing / pentesting then just run it:

$ ./unix-privesc-checker > output.txt

The output's a bit messy (it's hard to be neat with shell scripts), so you're probably best to save the output and search it for the word 'WARNING'. If you don't see the word 'WARNING' then the script didn't find anything.

Example:$ ./unix-privesc-check


Intended Usage?

It's intended to be run by security auditors and pentetration testers against systems they have been engaged to assess, and also by system admnisitrators who want to check for "obvious" misconfigurations. It can even be run as a cron job so you can check regularly for misconfigurations that might be introduced.

I wanted to write something that was at least partially useful to pentetration testers when they gained access to a low-privilege account and wanted to escalate privileges. There are lots of things that pentesters will check in this situation and one of the most tedious to check is weak file permissions - this of often one of the most fruitful, though, so there's no avoiding it.

Disclaimer

Running this script alone isn't a substitute for proper audit (e.g. following one of the NSA's excellent configuration guides). There are lots of possibilities for escalation that are just too hard to audit using a script. This script is intended to be a shortcut, not a replacement for a proper audit.

Tuesday, February 19, 2008

New Form Of Nigerian Scam

Watch Out For New Form Of Nigerian Scam targetting Yahoo! Email Ids..


I have yahoo email id which I really don't use much. I haven't given my id to anyone nor i have used that id at any specific websites for memberships or account registrations. Still, i get loads of spams, scams and phishing emails all the time. I received an email which is very interesting and worth mentioning...

This particular email is similar to Nigerian Scam.

Subject Line States: CONGRATULATIONS YOUR E MAIL ID HAS WON $500,000.00 US DOLLARS FROM YAHOO!!!!

Asking users to send this particular personal information at mr_brown_jude at ko.ro.

Personal Information

1. Full name
2. Country
3. Contact Address
4. Telephone Number
5. Marital Status
6. Occupation
7. Age
8. Sex
9. Religion
10.lucky e mail
11.Amount Won

Please, Be very careful and use little bit of common sense. Yahoo! is not that generous that they will give you $5000,000.00 through email.

Monday, February 18, 2008

Things To Know About Security

Worth-Watching Video

What Every Engineer Needs to Know About Security and Where to Learn It.


Threat Modeling

What is Threat Modeling?

Threat modeling is a procedure for optimizing network security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system. In this context, a threat is a potential or actual adverse event that may be malicious (such as a denial-of-service attack) or incidental (such as the failure of a storage device), and that can compromise the assets of an enterprise.

The key to threat modeling is to determine where the most effort should be applied to keep a system secure. This is a variable that changes as new factors develop and become known, applications are added, removed, or upgraded, and user requirements evolve. Threat modeling is an iterative process that consists of defining enterprise assets, identifying what each application does with respect to these assets, creating a security profile for each application, identifying potential threats, prioritizing potential threats, and documenting adverse events and the actions taken in each case.

Thursday, February 14, 2008

Personal Computer Security

Data Protection - Essential Downloads To Protect Personal Data ....

I was reading Steve Riley's Blog. He has posted a well written article about supporting your family, friends and neighbours. I totally agree with him, as soon some of your neighbours comes to know that you are computer savy you will get a support call, free of charge.

Following to his post, i would like to mention other security products which you can use for yourself, friends, family and neighbours.

With "CyberFraud" ever increasing, everyone should re-assess how seriously we take data security on a personal level. Here are some essential downloads that can help.

First, ensure your PC is protected by a decent firewall.

Comodo Firewall Pro is free and consistently ends up towards the top of the three in independent testing. It's unobtrustive as far as system resource impact is concerned, uses a host intrusion-prevention system to prevent malware from installing, and it also runs on both 32- and 64-bit versions of Vista. You will get the automatic updates, rootkit and real-time traffic protection you would expect from a full enterprise-level firewall but at a price you most certainly wouldn't.

Equally as important is spyware protection.

Spybot Search & Destroy 1.5, which is finally fully compatible with both Vista and Firefox, comes to the rescue. While the interface is in need of modernisation, we can't knock the performance. It helps prevent spyware and adware getting onto your system in the first place, and if you install it on an already infected PC, it works wonders in getting it clean.

Unfortunately, the installation of computer-comprising and data-stealing torjans is the most common kind of infection you will pick up when link clicking, downloading and practising unsafe surfing.

McAfee SiteAdvisor is another free download for Firefox and IE, and it leaves other antiphishing toolbars in the shade of being both unobtrusive and informative. Perform a Google search and it uses traffic light ticks to warn of the status of a link before you visit: hover over the tick and a balloon appears with more detail; click the baloon to visit the McAfee site for the comprehensive analysis of dangers such as spam email delivery, infected downloads and dodgy affiliate links. The same traffic light principle is applied within the browser itself whenever you visit a site.

When it comes to data privacy, there are plenty of reasons why you might want to remain anonymous while browsing the web, and the truly paranoid will want to leave as minimal a click-trail as possible.

Anonymizer does as good a job as any proxy server we have seen. It hides your IP address by redirecting your web traffic through Anonymizer 128-bit SSL secure severs, so the websites you visit see its generic IP address rather than yours. An integrated antiphishing early-warning tool helps protect you from scams and the latest Anonymizer works with Vista, too.

Ultimately, if you want to protect your personal data, there is one technology you simply have to use: data encryption. Your options here are as varied as they are baffling, but when it comes to value and ease of use, few compare to the open-source hero

TrueCrypt, the latest version is 32- and 64-bit Vista friendly, as well as being able to write data to removable USB drives and MP3 players. It can encrypt your data at the indiviual file level or entire hard drive, using 448-bit keys (Blowfish), 256-bit keys (AES, Surpent, Triple DES and Twofish), as well as 128-bit keys (CAST5). It can create a virtual encrypted disk within a file, which can then me mounted as a real disk, and will happily create a fully hidden volume. It's easy to use thanks to the Windows GUI, will run on Linux, and provides a much more secure environment for your data that, say, a CD in the post.

Most Influential Security Folks

Check This Out.....

Debating the most influential security folks list by ZDNet's Larry Dignan -- Ryan Naraine has cooked up a list of the most influential people in security. Here’s the list packaged in a slideshow, which is annoyingly set on fast forward. For instance, I viewed two slides, went to bathroom and by time came back the gallery was over (and I really had to go). Tavis Ormandy, Google Security Team’ Ivan [...]

Tuesday, February 12, 2008

Understanding Third-Party Vendor In PCI Compliance

Recognizing the value of outside assistance in achieving PCI Compliance

While some companies do elect to develop, deploy, assess and penetration test a compliance strategy on their own, others find that there are certain advantages to using a third-party vendor for these activities. For some organizations, an outside vendor can provide external validation that the appropriate processes and policies are in place; this validation can provide reassurance to customers, partners, shareholders and card issuers. A third-part vendor can also provide an objective analysis, of your current compliance status, along with recommendations for closing any gaps.

When compliance validation activities are executed in house, company officials become fully liable for any ommissions or erros. Using a third-party vendor can shift the risk away from corporate management. Companies can conduct their own penetration testing if they prefer. Quarterly external network scans are required for the majority of merchants and service providers, and these scans must be performed by an approved third-party assessor. When companies reach a certain threshold of payment card transactions, a ceritified PCI assessor must be used to validate PCI compliance. The PCI Security Standards Council manages a Qualified Scurity Assessor (QSA) program, ensuring that assessors are fully certified to conduct PCI assessments.

Selecting a Third-Party Vendor:

Allowing a third-party assessor to shift through your data can be a scary proposition, so it's important to choose a trusted, experienced, certified provider that understands the PCI standard in relation to your industry. The ability to handle all phases of your PCI compliance validation, from pre-assessment through report of compliance (ROC) submission, is key. Your vendor should be willing to offer you multiple alternatives for achieving the same level of protection and should provide you with a detailed roadmap in each case. The assessor's cire competency should extend beyond compliance services to addressing your overall security posture and providing recommendations for securing your infrastructure. The services provided should be clearly delineated, particularly if the contract spans multiple years.

As you proceed through the selection process, you should ask yourself these questions:

  • What am I getting for my investment? Do I receive simply the output of a scan, or do I benefit from the vendor's security expertise?

  • How customized is the assessment that this vendor offers me?

  • Is my vendor fully certified to perform all phases of the PCI compliance validation?

  • Has this vendor fully explained the timeline involved in the process? From pre-assessment through ROC submission, the process can take from 9 - 18 months; am I prepared for that?

In short, you want a trusted security adviser that can be your advocate to your acquirer bank and payment card companies.

Monday, February 11, 2008

Understanding the Challenges Of Becoming PCI Compliant

Beware of obstacles on the road to PCI Compliance....

While PCI standards are simply worded and provided a good foundation for your governance and risk management strategy, you should be aware of a number of factors that can complicate the road to compliance.

For example, eacy payment card company, while adhering to a core set of standards, has its own particularities in terms of its exact requirements and enforcement mechanisms. These factors must be taken into account as you design your strategy.

To be prepared for the compliance assessment, you must have a certain number of checkpoints in place. You must also be able to demonstrate that you are not keeping data that the PCI standard specifies you are not entitled to keep. For example, full-track data from the magenetic card strip of the card validation number ( CVC, CVV2, CID ) must never be retained.

The requirement to remove data that should not be retained also means wiping inappropriate data from all areas of the data stream. In the United States, using a U.S Department of Defense - approved wiping process satifies this requirement; while in other portions of the world, either the U.S or European Privacy Act wiping process is required. These data stream areas include databases, backup files, transaction logs, application logs, device logs, error logs and reports, network sniffers, and core and memory dumps used for diagnostic purposes.

Avoiding common errors

It can be helpful to know that certain errors are routinely identified in compliance assessments, including the following:

  • Storage of prohibited cardholder data

  • Use of production careholder data in test environments

  • Failure to encrypt the full payment card number

  • Lack of network segmentation system that isolates the transaction environment

  • Lack of segregation of internal staff duties

  • Failure to label cardholder media as confidential

Friday, February 8, 2008

Profiting From PCI Compliance

The six categories of PCI best practices

Taken together, the six areas of data protection prescribed by the PCI standard help you build a comprehensive approach to overall security. They address security concerns from network protection to security governance policies.

1) Build and maintain a secure network.
Create a firewall to secure cardholder data.
Go Beyond vendor defaults for passwords and other security parameters.


2) Protect Cardholder data.
Protect stored data.
Encrypt Data Transmission.


3) Maintain a vulnerability management program.
Employ and update anti-virus software.
Develop and maintain application security.


4) Implement strong access control measures.
Restrict access to cardholder data on a need-to-know basis.
Assign a unique ID to each authorized user.
Restrict physical access to cardholder data.


5) Regularly monitor and test networks.
Track and monitor access to network resources and data.
Regularly test security systems and processes.


6) Maintain an Information Security Policy.
Develop and maintain policy-based security protocols.

While the PCI standard might seem like another snarl of red tape to companies already burdened with financial services industry regulations such as International Organization for Standardization (ISO) / International Electro technical Commission (IEC) 27002 and the Sarbanes-Oxley Act, the standard can actually simply your job enormously. It is so comprehensive and well designed that it can be seen as a compliance enabler for a broad set of industry regulations. And because privacy is a core concern for almost all business, PCI standard compliance supports your bottom line.


In fact, the PCI standard can actually become the central principle around which your overall governance and risk management strategy can be organized. By adopting the PCI standard as a best practice and aligning its security measures with your business processes, you will be likely see significant gains in efficiency and data security.

Wednesday, February 6, 2008

VISTA Printing Problems

Not Security Related ....

I have been getting a lot of requests from my friends for help with printing issues under Windows Vista. Practically every solution so far has involved sticking the older printer in a skip and getting a new one, so fed up have people become of trying to get their old printers up and running.

My recent experience at home has been that if the printer doesn't work with updated files from the manufacturer's website - and let's be honest, many don't - then you are left with a fairly simple choice: buy a new printer, or return to Windows XP.

Don't try to install XP drivers under Vista in the hope they might work. They don't. People have had plenty of trouble upgrading to Vista from a working XP installation, never mind trying to add a bit of XP where it isn't wanted. While some XP programs can be installed and sucessfully run, printer drivers don't seem to be falling into this category.

You end up with a shed load of spooler subsystems app errors and are then reduced to either a total wipe and reinstall of the OS, or a fun time trawling the Registry trying to locate and delete all references to the badly behaving drivers. That's actually not so bad, but only if you know precisely which ones are causing the problem in the first place.

If you really are totally stuck with this printer issue, you could download and install Microsoft Virtual PC 2007 on a Vista system ( has to be Business, Enterprise or Ultimate Edition), install XP and run the printer from there. Bit of a pain, but a workable solution or buy a Vista compatible printer:)

Monday, February 4, 2008

Online Fraud Detection

Architectural Options for Integrating Fraud Detection

"By 2009, at least 50% of online fraud detection engines will be integrated directly into Web application servers (0.7) probability." Gartner


Enterprises can choose among three architectural options for integrating fraud detection into an online application. The most-appropriate technical option largely depends on whether the enterprise wants to intervene in real time in suspect transactions.

Analysis:

Three options for integrating fraud detection with online banking or other applications are as follows:

  • A fraud-detection filter sitting inside the application server (for example, Websphere). Rules maintained by the enterprise are applied by the filter to any HTTP request (for example, login or payment) before the transaction hits the application. Transactions can be stopped and/or redirected to a transaction-verification routine in real time through execution of the filter's fraud rules. Several vendors provide plug-ins to application servers, but one solution, sold by FMT, is directly embedded with a preprocessor. Accordingly, users are locked into a single source solution.

  • "Listener" integration - In this mode, the application listens to or "sniffs" input files or HTTP network traffic (for example, log), or reads data using application server plug-ins installed at each server. Data is read in real-time (network "sniffer" approach) or near-real (application server listener approach) and either fed into another fraud-management application or reconstructed into a format on which fraud rules can be applied. In the latter case, suspect transactions are queued for fraud analyst follow up. Customized application programming interfaces (APIs) can be integrated so that transactions are redirected to a challenge/response verification. The 41st Parameter, Digital Resolve, Entrust, Covelight, VeriSign and RSA, the Security Devision of EMC, provide variations of this options.

  • "Inline" integration - in this case, APIs are used to pass transactions through fraud detection before a transaction is processed. Transaction flow is controlled, so a user can be challenged in real time if a suspect transaction is detected. Changes in business rules require changes to the core application. APIs are mainly based on Web services. Digital Resolve, Entrust, Covelight, VeriSign and RSA provide this option.

Things to Know:

Implementing fraud detection for online banking or other online applications can be done using one of three methods:

  • Fraud-detection filters built into the Web application server

  • Listening and/or monitoring of the online application

  • Programmatic interfaces into the legacy application

The first option is the easiest to implement and gives enterprises full control over transaction flow, but more readily locks an enterprise into its application server vendor. Fraud managers, who prefer not to intervene real time in user transactions will prefer second approach, which is the easiest to pull out and replace. Using APIs for fraud detection (the third option) gives enterprises direct control over transaction flow, but requires significant integration work, and must be constantly updated when the core application changes. APIs also make it harder to switch vendor solutions.

No matter which option is chosen, technical strategy is just one piece of the puzzle. Business rules and processes are more important determinants of an application's effectiveness.

Friday, February 1, 2008

Business Continuity Planning - BCP

Business Continuity Planning is an ongoing iterative process.

Business Continuity Planning is not a project with a finite commencement and conclusion. Access your Business Continuity Planning when you need it from wherever you can gain web access. The web-based model of delivery removes your reliance on the very infrastructure at rrisk of being impacted by a critical event.

The Important Of Planning.

The primary goal of a Business Continuity Planning has always been its successful use in reponse to some form of disaster. In addition to protecting your business, successful use of a Business Continuity Planning can also demonstrate your business resilience to your clients, and other businesses you deal with.

However, there are significant additional benefits to any organisation simply through the creation and ongoing management of a Business Continuity Planning. The creation of a cohesive Business Continuity Planning helps to ensure that representatives from all facets of your business are aware of each other's roles and responsibilities. As the Business Continuity Planning is reviewed it can help highlight issues and provide the required focus on resourcing or change in key business units. And as an organisation and the people within it change over time, a Business Continuity Planning lifecycle review process can help identify adverse impact of change within that organisation.

The Business Continuity Planning Lifecycle

Business Continuity Plannings require a lifecycle approch; as your business grows and changes, the Business Continuity Planning needs to grow and change to help protect your business. Once a Business Continuity Planning is created it needs to kept current through scheduled reviews and updates, and in order to validate that it is current, it needs to be regularly tested.

The following steps are required to create, manage and test your Business Continuity Planning:

  • Project Initiation - program and user hierarchy

  • Funcational Analysis - Business Impact Analysis, surveys

  • Design/Creation - import existing or new files into templates

  • Training - maintain Business Continuity Planning traning schedules, and report on access

  • Testing - store, use and re-use test excercises

  • Maintenance - alert task assignees, report on compliance

  • Execution - use pre-planned response actions, track execution for post-execution review.