Articles & Presentations

Tuesday, July 26, 2011

(T) Ethical Hacker Video Training - FREE




Want to learn some Ethical Hacker skills? Thanks to the folks over at Logical Security you can. View over 25 hours of videos on CEH training - FREE!!!!!

LogicalSecurity CEH Training videos

#InfoSec #LogicalSecurity #CEH

Monday, July 25, 2011

(I) check out a collection of info on recent Hacks.. CNET Hacker Chart







Very kewl... CNET has compiled info on recent hacks... It shows when the hack occurred, the type of hack, who got hacked and by whom, lost IP and other info and links... Very handy.

CNET Hacker chart - Google Doc

#InfoSec #CNet #Hacks

(I) Want to see how websites track you graphically?




Ever wonder what websites track about you and how they are related? Now you can with these two Firefox add-ons.


Ghostery website


Collusion Toolness website

Thanks Steve Gibson for these!

#InfoSec #Ghostery #Collusion #SGgrc

Thursday, July 21, 2011

(I) Microsoft Forefront Event Log ID's







If you are a Microsoft ForeFront user and want to know an undocumented Event Log item, here you go...

You can setup email alerts and get flooded with un-actionable information, or tweak the settings to reduce the noise, which you should by the way.

But what about those of us that use SEIM or logging solutions? You can find some event ID's in TechNet, but here are two that you really need that are events you should take action on...

3007 - Forefront Endpoint Protection Alert: Malware Outbreak
3009 - Forefront Endpoint Protection Alert: Repeated Malware Detection
3010 - Forefront Endpoint Protection Alert: Multiple Malware Detection

Ignore EventID '3006 - Malware Detected' as it is just noise and not actionable as the AV client acted upon it, the three above are what's actionable.

Look for these two events from the source Fepsrv or use Wevtutil.exe to query your servers event logs for these two events.

Wevtutil qe "Forefront Endpoint Protection" /q:"*[System[(EventID=3009 or EventID=3010)]]" /r:system_name /f:text

Or look for events in the last 24 hours:

Wevtutil qe "Forefront Endpoint Protection" /q:"*[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]" /r:system_name /f:text

43200000 - 12 hours
86400000 - 24 hours
129600000 - 36 hours
172800000 - 48 hours
604800000 - 7 days
2592000000 - 30 days

You can pipe it to a file ">file_name_AV.log" if you want to as well.

If you see them, take action, these are bad offenders getting repeated malware of the same kind or received multiple malware at once, either way these systems need some attention. Are they Administrators? I recommend a re-image, if not then maybe a deep scan. Create a process flow that your admins can follow when alerts occur and consider having the Forefront alerts send an email to your Help Desk solution to automatically open tickets for these items, ignore the 'a user has Malware' alerts and set 'Malware Detection Alerts' to 'Medium' to reduce some noise.

Logs have good data you can act upon if you look, find what you want and parse it out so what you see is actionable... Not hard if you do a little prep.

#InfoSec #ForeFront #eventlogs #Wevtutil



Wednesday, July 20, 2011

(I) Want to force all Internet sites to use HTTPS?







If you want to make sure your web surfing always uses and forces websites to use HTTPS (encrypted connections) to prevent ne'er-do-wellers from sniffing your surfing, logins and other info you might enter while using the InterWebbings.. Then use FireFox and add EFF's add-on 'HTTPS Everywhere' and poof! If a site has HTTPS, this little add-on will force it to use HTTPS... Handy, oh yeah.. Donate them some $$$$, they fight for our Internet rights!!!

EFF website download

#InfoSec #EFF

(W) If you see this message while Googling.. Your screwed !!!




If you see this message while searching for something on The Google.. You're screwed and your computer needs to have Windows re-installed.

Google now looks for certain types of behavior from clients that indicate a system is infected with Malware, if you are,The Google will popup the above message and tell you. Only in your browser, so if you see an email with this message.. WARNING WILL ROBINSON.. It's malware via email trying to get you to click on that.. And we all hopefully know.. 'Dont Click on That!'

If you do see this message, then your system needs a rebuild! Plain and simple, don't pass go and try to 'clean' your computer, the fact you are infected and see this message means your system is not security worthy and other problems most likely exist.

So what do you do? Read my article "Top 10 Tips - If your Windows PC or an account has been hacked" and rebuild your system with these tips to avoid future issues.

Thanks Google!

Brian Krebs article on the Google warning

#InfoSec #Krebs #Malware #Google

Thursday, July 14, 2011

(I) Microsoft to block common passwords for HotMail users







Hard to believe that Micro$oft of all people is taking the lead in such an obvious area as passwords. With all the password breaches Micro$oft feels it is time to block many of the more stoopid passwords that people use.

List of Top 500 worst passwords

For years we have been Whitelisting (allow) and Blacklisting (block) websites with web proxies in the corporate world, it is obvious to implement a blacklist for known bad passwords as well. Frankly, EVERY Internet facing website should implement this feature to not just protect your users, but improve customer service. How is at you say? Well, if you are suffering from a brute force attack that either creates a DoS situation locking out thousands of your users, because you know they use crappy passwords and locking out their account to keep it from being breached is the best option.. Sucks, but the best option. Unless you want to force two-factor authentication on your users, forcing them to use stronger passwords so you can ignore typical brute force web based attacks is the best low cost solution you can do.

Many web and email proxies and web filtering solutions like OpenDNS and Norton Online Family use blacklist providers to block users from going to well known bad sites and email senders.

This is an easy solution to implement and I would hope Micro$oft would use their reason (too many p0wned accounts.. Aka too many customer support calls and emails) to implement common password blocking into a service that we all can use and access, just like URL Blacklists..

Your ability to create ridiculous and easy passwords is coming to an end... Start considering using solutions like SuperGenPass, LastPass, PasswordSafe, RoboForm and other password managers to avoid this issue in the future.

Come on FaceBook, Twitter, Gawker, Sony... The list is endless.. Get a clue from... I can't believe I am going to say this... Microsoft and implement common stoopid password blocking!!!

Article on MS HotMail common password blocking

#InfoSec #HackerHurricane

(I) New MetaSploit Book and PDF deal - a MUST have !!!




Pentesters and InfoSeek Geeks take note.. This is a serious deal on the hottest InfoSec topic. You get the new MetaSploit book AND PDF (iPad yeah) Use the code 'REDTEAM' and get a $19.98 discount !!!

NoStarch website to order the MetaSploit book deal

#InfoSec #MetaSploit

(I)(W) Pwnie device can split your network in the palm of your hand




Just add a touch of Social Engineering and add this to any location, plug it into a wall jack near an ethernet jack, or use the WiFi version if you know or cracked the key. Install by a printer or under a desk would work best and you can start assessing and exploiting a network.

I can tell you from years of experience it would be trivial to get this device installed and talking out a corporate or government network.

This little PC in a brick the size of a power supply packs a punch of tools. The 'Standard' device comes with the following loaded:

:: Includes "Plug UI" for simple web-based setup
:: Tunnels through application-aware firewalls & IPS
:: Sends an SMS message when SSH tunnel is activated
:: Preloaded with Ubuntu, Metasploit, SET, Fasttrack, SSLstrip, nmap, dsniff, netcat, nikto, nbtscan, scapy, ettercap, JTR, medusa, & more!
:: Unpingable and no listening ports in stealth mode


For $320 USD it is cheap for the capability. They also make a Wireless version and 3G version as well and have accessories, which include stickers to make it look like an air freshened or printer power brick.

This is one KEWL Pen Test Do-Dad

Send me one Pwnie.. Pleeeeeaaaassseeeeeee

#InfoSec #HackerHurricane #Pwnie

(W) Watch out users of Mobile Banking apps !!!!




As blogged before by me, I found that credentials of my bank app, stored usernames even after you deleted the application from the phone..

Now there is Malware that you can get on your Android that will slurp off your login to your Mobile Banking App when you.. Well..login...

Don't worry.. It will hit the iPhone and others... In the future...

SC Magazine article - Zeus stealing banking passwords on Android phones

#InfoSec #HackerHurricane

Tuesday, July 12, 2011

Just Funny




Thanks to the July issue of SC Mag


#InfoSec

Monday, July 11, 2011

(W)(I) HP.. Are you INSANE? Touchpad Security




OK HP... This is clearly 'DOH' on steroids...

Let me get this straight... So you want Enterprises to use and adopt Touchpads? But you don't allow them to be setup on a corporate WiFi that uses certificates or Captive Portal solutions? Are you insane HP, I mean REALLY ????

So you make us take our new tablet to an insecure WiFi, or tether to our smartphones (irony) to activate it since we can't connect it to a Wireless network that uses certs or a portal... Hmmm what a GREAT way to start off the opinion.."Is the HP Touchpad secure?..."

I would say 'Nope,,,' not until it can be configured on a WiFi with certs and a captive portal so I can use it say, in a Hotel, as a guest in a corporate environment...

Fail!

#InfoSec #Touchpad

Thursday, July 7, 2011

Entertaining.. LulzSec Bon Voyage message







Thanks to 'The Hacker News' for posting this...

Too funny... Now you know why they do what they do...

LulzSec last message from 'The Hacker News'

Direct link to YouTube

#InfoSec #LulzSec

Wednesday, July 6, 2011

(W) Fake AV makes SERIOUS $$$$

If you ever ask people or wonder "Why do hackers do what they do?.." just take a look at what the folks at UCSB discovered the bad guys rake in for pushing out Fake AV and how many fall for it and actually PAY the ransom to the crooks... Check out these numbers!!!!


Many thanks to Brian Krebs and his continued research to help educate everyone on the realities of why we need Information Security.

Brian Krebs article on the UC Santa Barbara researchers

#InfoSec #KrebsonSecurity

Tuesday, July 5, 2011

(I) Another site to lookup your email accounts to see if it was leaked in recent hacks




Here you go, yet another website to use to see if your email or account was compromised in the recent LulzSec hacks... Put in your email(s) and see if you need to change your password...

Cracked account lookup website

#InfoSec