Another email scam that no one should fall for !
Download for a Windows Licence key from Password@Linkedin.com
Link goes to http://m.victorponta.ro/page2.htm recommend not following the link
I always wonder if anyone does fall for this type of scam.
Monday, 22 October 2012
Friday, 19 October 2012
Safety & Security
An interesting point that came out from the IET conference
on System Safety incorporating the Cyber Security in Edinburgh this month is that
in German the word Sicherheit means both Security and Safety depending on the
context. This highlighted the commonality between building safety systems and
secure systems and ensuring flaws, vulnerabilities and risk are taken into
account during the requirement phase of a project and then built in during the
design and production. Naturally as security & safety are parts of
requirements the testing will ensure these requirements have been met and to
complete the lifecycle the maintenance of the system needs to ensure the
requirements are continued to be built into the systems.
Techniques from writing safe code and for writing secure
code are interchangeable and ensure that software flaws such as buffer
overflow, inadequate input validation are eliminated. For those writing secure
code the more mature safe code standards can help with guidance in the coding
of projects ensuring that the effect of unexpected features are eliminated.
Buffer overflows are still a common problem with modern
software, 50% of CERT advisories still have buffer overflows despite them being
known since 1972. The techniques for preventing and detecting them are well
understood by programmers and testers however they are still being found by researchers
in software that has been deployed.
Adherence to coding standards and use of secure and safe
programming techniques will reduce vulnerabilities in software, with web
application attacks being the most common attack vector along with social
engineering reducing the number of flaws in applications will reduce the number
of successful attacks.
Wednesday, 17 October 2012
Car Safety Standard Testing & InfoSec
At the IET cyber security conference listening to the keynote by Mike StJohn-Green discussing "cyber security - who says we are safe" he raised the comparison with car safety when buying security are we looking for the Volvo a name that is linked with car safety or looking for the best that meets our needs. He also mentioned about the NCAP rating which is a standard safety test in the EU for comparing the safety of cars, however one of the problems is that since safety sells cars, manufacturers design cars to get a higher rating, this does not mean that they are safe for occupants and pedestrians. This goes for a lot of information security equipment, the testing is not always representing the real world environment and give the assurances required by senior management to make decisions.
Sunday, 7 October 2012
Tools (7th Oct)
A slightly longer than normal interval in my update on new and updated Information Security tools that I have come across or use. The tools are mainly those for PenTesting although other tools are sometimes included. As a bit of background into how I find these tools, I keep a close watch on twitter and other websites to find updates or new releases, I also search for pen testing and security projects on Source Forge. Some of the best sites I have found for details of new tools and releases are http://www.toolswatch.org/, http://tools.hackerjournals.com/
Core Impact V12.5
http://blog.coresecurity.com/
CORE Impact® Pro is the most comprehensive software solution for assessing and testing security vulnerabilities throughout your organization. Backed by 15+ years of leading-edge security research and commercial-grade development, Impact Pro allows you to evaluate your security posture using the same techniques employed by today’s cyber-criminals.
The Social-Engineer Toolkit (SET)
https://www.trustedsec.com/september-2012/the-most-advanced-version-of-the-social-engineer-toolkit-to-date-released/
his version is the collection of several months of development and over 50 new features and a number of enhancements, improvements, rewrites, and bug fixes. In order to get the latest version of SET, download subversion and type svn co https://svn.trustedsec.com/social_engineering_toolkit set/
BurpSuite 1.5rc2
http://releases.portswigger.net/2012/10/v15rc2.html
Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
SANS Investigate Forensic Toolkit (SIFT) Workstation Version 2.14
http://computer-forensics.sans.org/community/downloads
The SIFT Workstation is a VMware appliance, pre-configured with the necessary tools to perform detailed digital forensic examination in a variety of settings. It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats. The brand new version has been completely rebuilt on an Ubuntu base with many new capabilities and tools such as log2timeline that provides a timeline that can be of enormous value to investigators.
Wireshark is 1.8.3.
http://www.wireshark.org/download.html
Wireshark is the world's foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions.
Core Impact V12.5
http://blog.coresecurity.com/
CORE Impact® Pro is the most comprehensive software solution for assessing and testing security vulnerabilities throughout your organization. Backed by 15+ years of leading-edge security research and commercial-grade development, Impact Pro allows you to evaluate your security posture using the same techniques employed by today’s cyber-criminals.
The Social-Engineer Toolkit (SET)
https://www.trustedsec.com/september-2012/the-most-advanced-version-of-the-social-engineer-toolkit-to-date-released/
his version is the collection of several months of development and over 50 new features and a number of enhancements, improvements, rewrites, and bug fixes. In order to get the latest version of SET, download subversion and type svn co https://svn.trustedsec.com/social_engineering_toolkit set/
BurpSuite 1.5rc2
http://releases.portswigger.net/2012/10/v15rc2.html
Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
SANS Investigate Forensic Toolkit (SIFT) Workstation Version 2.14
http://computer-forensics.sans.org/community/downloads
The SIFT Workstation is a VMware appliance, pre-configured with the necessary tools to perform detailed digital forensic examination in a variety of settings. It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats. The brand new version has been completely rebuilt on an Ubuntu base with many new capabilities and tools such as log2timeline that provides a timeline that can be of enormous value to investigators.
Wireshark is 1.8.3.
http://www.wireshark.org/download.html
Wireshark is the world's foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions.
Friday, 5 October 2012
Insider Fraud
Another example of the insider committing fraud, Verizon System Admin managed to take advantage of a scheme to keep critical infrastructure up to date.
http://www.fbi.gov/atlanta/press-releases/2012/former-verizon-wireless-network-engineer-sentenced-to-federal-prison-for-multi-million-dollar-fraud-scheme
Controls such as segregation of duties, supervision to prevent fraud where not rigorously in place, there should be systems in place whereby no single person has responsibility for payments and adequate controls are in place to guard against fraud, such controls require regular reviews of internal systems.
When it comes to preventing insider fraud, organizations would do well to more closely monitor experienced, mid-level employees with years on the job, according to a new study conducted by the CERT Insider Threat Centre of Carnegie Mellon University's Software Engineering Institute in collaboration with U.S. Secret Service.
The study found that, on average, insiders are on the job for more than five years before they start committing fraud and that it takes nearly three years for their employers to detect their crimes.
http://www.fbi.gov/atlanta/press-releases/2012/former-verizon-wireless-network-engineer-sentenced-to-federal-prison-for-multi-million-dollar-fraud-scheme
Controls such as segregation of duties, supervision to prevent fraud where not rigorously in place, there should be systems in place whereby no single person has responsibility for payments and adequate controls are in place to guard against fraud, such controls require regular reviews of internal systems.
When it comes to preventing insider fraud, organizations would do well to more closely monitor experienced, mid-level employees with years on the job, according to a new study conducted by the CERT Insider Threat Centre of Carnegie Mellon University's Software Engineering Institute in collaboration with U.S. Secret Service.
The study found that, on average, insiders are on the job for more than five years before they start committing fraud and that it takes nearly three years for their employers to detect their crimes.
Secure Software Development
There are a number of good resources on secure programming from Microsoft describing a secure developmental life cycle and tools. If you are programming with Microsoft tools then it is recommended that you look at their resources, however the resources are not just of interest to the their development environment but are applicable in many cases to others. In just the same way, there other resources that will help if you are developing using the Microsoft tools such as OWASP and (ISC)2.
The Microsoft Site gives a lot of information on using a Secure Development lifecycle much of which is transferable to other development environments, the principles behind the Microsoft's SDL and pretty much good solid principles.
http://blogs.technet.com/b/security/archive/2012/08/23/microsoft-s-free-security-tools-threat-modeling.aspx
http://blogs.technet.com/b/security/archive/2012/08/02/microsoft-s-free-security-tools-attack-surface-analyzer.aspx
http://msdn.microsoft.com/en-us/security/aa973814.aspx
http://blogs.technet.com/b/security/archive/2012/08/30/microsoft-s-free-security-tools-banned-h.aspx
Microsofts Security Development Lifecycle (SDL)
http://www.microsoft.com/security/sdl/default.aspxThe Microsoft Site gives a lot of information on using a Secure Development lifecycle much of which is transferable to other development environments, the principles behind the Microsoft's SDL and pretty much good solid principles.
Free tools from Microsoft
Some of these tools are more for the Microsoft programming environment than others
Threat Modeling Tool
The SDL Threat Modeling Tool helps engineers analyze the security of their systems to find and address design issues early in the software lifecycle. To help make threat modeling a little easier, Microsoft offers a free SDL Threat Modeling Tool that enables non-security subject matter experts to create and analyze threat models by communicating about the security design of their systems, Analyzing those design for potential security issues using a proven methodology and suggesting and managing mitigations for security issues.http://blogs.technet.com/b/security/archive/2012/08/23/microsoft-s-free-security-tools-threat-modeling.aspx
Attack Surface Analyzer
Attack Surface Analyzer can help software developers and Independent Software Vendors (ISVs) understand the changes in Windows systems’ attack surface resulting from the installation of the applications they develop. It can also help IT professionals, who are responsible for managing the deployment of applications or the security of desktops and servers, understand how the attack surface of Windows systems change as a result of installing software on the systems they manage.http://blogs.technet.com/b/security/archive/2012/08/02/microsoft-s-free-security-tools-attack-surface-analyzer.aspx
Anti-Cross Site Scripting Library
The Microsoft Anti-Cross Site Scripting Library V4.2.1 (AntiXSS V4.2.1) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique -- sometimes referred to as the principle of inclusions -- to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white-listing approach provides several advantages over other encoding schemes.http://msdn.microsoft.com/en-us/security/aa973814.aspx
banned.h
The banned.h header file is a sanitizing resource that is designed to help developers avoid using and help identify and remove banned functions from code that may lead to vulnerabilities. Banned functions are those calls in code that have been deemed dangerous by making it relatively easy to introduce vulnerabilities into code during development.http://blogs.technet.com/b/security/archive/2012/08/30/microsoft-s-free-security-tools-banned-h.aspx
PCI QSA
Just preparing for a new role that I have been asked to take up within IT Governance as a PCI QSA providing I can pass the exams.
Undertaken our own PCI Foundation course (http://www.itgovernance.co.uk/products/1858) and now working my way through the "PCI DSS: A Practical Guide to Implementing and Maintaining Compliance" by Steve Wright (http://www.itgovernance.co.uk/products/1670).
Also being review the material from American Express, Visa & Mastercard about their compliance programmes.
The PCI Validation Requirements For Qualified Security Assessors (QSA) recommends the following documents
However having problems finding PCI DSS Security Audit Procedures on the PCI Security Standards Website which is a document that is referred by a number of others on the site. However a very early version of the PCI DSS Audit document seems to indicate it has now being incorporated into the main documentation. It is a shame that the Audit procedures are not a clearly defined document as the PCI SSC website has a lot of useful documentation for the standard, as do the main card issuers sites, having worked with many standards from a range of industry I have found often there is a lack of freely available documentation about them, which does not seem the case with the PCI DSS.
Undertaken our own PCI Foundation course (http://www.itgovernance.co.uk/products/1858) and now working my way through the "PCI DSS: A Practical Guide to Implementing and Maintaining Compliance" by Steve Wright (http://www.itgovernance.co.uk/products/1670).
Also being review the material from American Express, Visa & Mastercard about their compliance programmes.
The PCI Validation Requirements For Qualified Security Assessors (QSA) recommends the following documents
- Payment Card Industry (PCI) Data Security Standard Security Audit Procedures (“PCI DSS Security Audit Procedures”)
- PA-DSS Security Audit Procedures
However having problems finding PCI DSS Security Audit Procedures on the PCI Security Standards Website which is a document that is referred by a number of others on the site. However a very early version of the PCI DSS Audit document seems to indicate it has now being incorporated into the main documentation. It is a shame that the Audit procedures are not a clearly defined document as the PCI SSC website has a lot of useful documentation for the standard, as do the main card issuers sites, having worked with many standards from a range of industry I have found often there is a lack of freely available documentation about them, which does not seem the case with the PCI DSS.
Ethics
A post about Ethics from the BCS "IT industry 'must get serious' about ethics" http://bit.ly/WsTyyG which highlights the IT industry should get serious about ethics. This post was based on Andrea Di Maio blog "It Is Time for Industry, Government and Consumers To Get Serious About IT Ethics" http://bit.ly/QWluKL
I found Andrea's blog very interesting as I have been involved in teaching of ethics to university students and covering it in Information Security course and it is also covering in the (ISC)2 CISSP body of knowledge. In particular refer to consumers is a good point when you consider that ethics are the moral principles that govern a person's or group's behaviour and in terms of code of ethics of all professional institutions they refer to not only working towards the general good of the professional body but of society in general.
The blog makes some very good points and gives some interesting examples to illustrate those points, the comments by Bill McCluggage at the end of the blog are also interesting, I look forward to more from both Andrea and Bill as it will form some good background for my activities.
I can see in the blog the line of reasoning that started with Norbert Wiener, his work was in the area of "Loss of human control and oversight" and his article "A Scientist Rebels" for the January 1947 issue of The Atlantic Monthly urged scientists to consider the ethical implications of their work. I personally think that in particular with IT it has great affect on society and all the stakeholders, Industry, Government and Consumers in the words of Andrea Di Maio need to be involved in ensuring that IT ethics are taken seriously.
I found Andrea's blog very interesting as I have been involved in teaching of ethics to university students and covering it in Information Security course and it is also covering in the (ISC)2 CISSP body of knowledge. In particular refer to consumers is a good point when you consider that ethics are the moral principles that govern a person's or group's behaviour and in terms of code of ethics of all professional institutions they refer to not only working towards the general good of the professional body but of society in general.
The blog makes some very good points and gives some interesting examples to illustrate those points, the comments by Bill McCluggage at the end of the blog are also interesting, I look forward to more from both Andrea and Bill as it will form some good background for my activities.
I can see in the blog the line of reasoning that started with Norbert Wiener, his work was in the area of "Loss of human control and oversight" and his article "A Scientist Rebels" for the January 1947 issue of The Atlantic Monthly urged scientists to consider the ethical implications of their work. I personally think that in particular with IT it has great affect on society and all the stakeholders, Industry, Government and Consumers in the words of Andrea Di Maio need to be involved in ensuring that IT ethics are taken seriously.
Sept ADSL Router Analysis
September was a very quiet month with very few probes until the end of month, just 21 probes from 3 countries.
The detected events broke down country wise as follows
The detected events broke down country wise as follows
Country | Source IPs | No of attack from country |
Turkey | 19 | 19 |
Japan | 1 | |
Malaysia | 1 | 1 |
Wednesday, 3 October 2012
PenTesting Pitfall
An article on Softpedia highlight one of the more unusual pitfalls of conducting PenTesting
http://news.softpedia.com/news/Hack-Attack-on-City-of-Tulsa-Website-Turns-Out-to-Be-Part-of-Penetration-Testing-296151.shtml
As it turns out, hackers were not responsible for the breach. Instead, it was a company hired by the city’s IT department to perform penetration testing. The security firm utilised a test procedure that was unfamiliar to the IT department.
This shows the importance of engaging with the client when scoping the PenTest and ensuring that they understand the process and have defined lines of communication between the client and the PenTesters.
After the incident, the IT department managed to further strengthen the city’s systems, which are said to be targeted thousands of times daily by cyberattacks. It also made officials realise that incident management for IT security should be treated just like the one for natural disasters. The cost of the response to the false incident was around $20,000 (15,000 EUR) for the operation.
Monday, 1 October 2012
Pension email scan
It didn't take look after the announcement that the UK Government new requirements on workplace pensions came into force on the first of October for the first email to appear in my inbox that directs me to malware
The wording within the email really does not make sense and I hope no one gets taken by this simple attempt.
The wording within the email really does not make sense and I hope no one gets taken by this simple attempt.
Subscribe to:
Posts (Atom)