Articles & Presentations

Thursday, December 22, 2011

(I) great example of session timeout.. Everyone should follow this

So many times in our business we ask or evaluate an application for session timeouts.  We hear "But we have screen savers on the Windows systems enforced by Group Policy".  This is not session timeout, this is locking the terminal requirement.  

So many times you see apps stay open all day, overnight or over the weekend.  You have no idea who is actually using the app at any given time. Session timeout lets IT and InfoSec know who is using an app recently, giving us more accurate troubleshooting and resource management.  If you are an admin of an app that does not timeout... Well that's not good either.

So take a look at how HootSuite times you out after an hour and forces you to login again...  Banks do it, so should all Internet apps... 1 hour is plenty of time.  If you don't like logging in, then use a URL & Password manager like LastPass to speed things up.

Wednesday, December 21, 2011

(I) How to erase a hard drive before re-using, a service call, giving away or selling a computer


In our business losing data is a bad thing... A very bad thing.  So what do we do when we need to end of life or recycle a PC, Server or anything else with a hard drive?

Do you have a computer you ever gave to someone?  Or someone gave to you?  What was on the hard drive?  Retired a server?  In our professional side we have to make sure these drives are wiped, erased or sanitized before they leave the building.  Or do we?

Let's take a look at some options to wipe, erase or sanitize drives to protect the data that was/is on them.  This blog will not address the ghost images that require a lab, and microscope or how many wipes.  it covers realistic every day needs for InfoSec and IT professionals.

Encryption as a protection:

If the hard drive was encrypted, then that is as good as wiping the drive.  Just format the drive and your done.  The encryption will sufficiently randomize the data since the data is protected with a key the new owner won't have or know about and hopefully you also formatted the drive hiding it further.  If you use BitLocker, Credant, PointSec, McAfee or other disk encryption solutions that encrypt your drive, you are going to be fairly sure the data will not be recovered if someone tries.

Warning:  Bit locker is not a full disk solution and will only encrypt the active data, so if you have a 1 TB drive and re-installed Windows and enabled Bit-Locker and protected say 25 GB, you will have an exposure of data that was once there past 25 GB before you encrypted.  Free space can be an issue if data was once there prior to using Bit-Locker.

If you use TruCrypt like I do to make encrypted volumes on hard drives and USB drives, this too should be sufficient to protect any data on the drive if you format it and give it away.  You could just create the biggest volume your allowed and encrypt it with TruCrypt.  Now there will be a big block of bits that once reformatted would be pretty much worthless to the new owner.



RAID:

If you think a set of drives in a RAID array would be safe if you broke the drive out of the array, you would be incorrect. I can tell you as I was involved with decommissioning a SAN and we tested a single drive of a RAID group and retrieved data. You will have to treat non-encrypted SAN drives the same as any other drive. Newer SANs have secure clearing options as a part of maintenance, so check if your system has the option, better yet, make it a requirement for your next SAN or RAID storage solution.
Wiping:

Wiping is where you write the entire drive with 0's, 1's or any other character(s) over the entire disk surface and then again and again to meet whatever legal or regulatory requirements you might have.  DoD wiping at a minimum is 3 passes, 
Standard DoD 5220.22-M, US DoD 5220.22-M (ECE) requires 7 passes and there are requirements for even more passes in order to cover up any ghost data that may reside on the drive that researchers have found can exist.... Using a fancy dancy microscope and lab.

Although writing 0's (filing with zeros) over the entire disk will not satisfy government data standards such as DoD 5220.22-M or (NIST) Special Publication 800-88, overwriting the entire hard disk prevents most forensic tools from gaining useful data, what we are most concerned with.

Reality... A 1 pass wipe with say, the Free version of KillDisk or vendor disk tool is plenty and an effective way in both time and cost to scramble data that might have been on the drive.  If you have requirements to wipe a drive more than 3 times... Do yourself a favor and just destroy the drive.. Shredding is faster, cheaper and requires less people time.

How long does wiping take? 
Wiping a drive takes a loooonnnng time...  Recently I wiped a 250GB drive with KillDisk (Free 1 pass wipe) that took 1.5 hours.  If that drive were a 1TB drive it would take roughly 6 hours just for a 1 pass wipe.  Using 'Boot and Nuke' a 3 pass wipe to meet minimum DoD would take roughly 44+ hours for a 1TB drive.  Actually the 3 pass wipe of the same 250GB drive using 'Boot and Nuke' took just short of 11 hours... For a 1 pass wipe it took almost 5 hours.  Clearly KillDisk is more efficient at wiping a drive.

This length of time for just one drive makes wiping a drive an extremely time consuming prospect.  You would have to setup several systems to attach drives to and run the utilities to wipe the disks.  A typical corporation would have too many drives and could make this a full time job, not a cost effective or a good use of people's time... Unless you are required for law or regulatory reasons.  You would then buy an expensive multiple drive unit or utilize a service.

By the Numbers... What it took me:

  • 250GB - Long Test using SeaTools = 1.0 hour (validate/repair drive)
  • 250GB - Full Erase using SeaTools = 1.5 hours
  • 250GB - 1 Pass wipe using KillDisk = 1.5 hours
  • 250GB - 1 Pass wipe using DBaN = 5.0 hours
  • 250GB - 3 Pass wipe using DBaN = 11.0 hours
  • 500GB - Long Test using SeaTools over USB = 2.5 hours
  • 1TB - Full Erase using SeaTools = 5.5 hours
  • 1TB - Full Erase using SeaTools over USB = 8 hours














Of course the type, speed and performance of the drive will vary by model how long wiping will take, but you can get an idea of what to expect with these numbers.

Tip:  If you get a drive that shows really long time estimates that are not what you normally see, just destroy it, it's not worth the time and is probably older and slow.

Drive vendor tools:

All the hard drive vendors have bootable or Windows utilities that can maintain/repair the drive and even wipe it.  Seagate/Maxtor, Western Digital, Samsung, Hitachi and others all have tools to help wipe drives.  I tested for this Blog Seagate SeaTools on a 1TB drive.  Wiping took roughly 5 1/2 hours, roughly the same as a 1 pass KillDisk wipe.

Use a service:

If you don't want to deal with this issue you can opt to take all the drives you retired and you give them to a service that will shred them for you and 'POOF' problem solved.  Just make a form to record the drive serial number, the system it came out of, date the drive was destroyed, who did it with a signature and you would be in good shape for an audit.  Destroying takes no time at all and is fun to watch too!!!  Damn loud.

These services may also provide wiping as well, but compare the cost to destruction.  You will find disk encryption on the system in thequantities you need may make disk encryption a cost effective time saving option vs. wiping more than 1 pass.  Keep in mind if you lease systems or have service contracts, you may have to negotiate what to do with the drive and get the proper wording in your contracts to allow you to wipe or destroy a drive before returning it to the vendor if the drive is NOT encrypted.  You may be in a pickle with your vendor needing the drive back if the drive is NOT encrypted and you can't wipe or destroy it.

So?

The whole purpose of this Blog entry was to develop a process to retire and recycle hardware where we have to ensure the data that was on the system has been wiped so a system can be reused by another party, either internal or external to the company.  The advantage of using a Windows based solution is you can save reports and logs or print the screen and use it in your report the wiping was completed and save it to a directory that matches a log of the disposition of your drives.  Using a IDE/SATA USB drive adapter you can easily plug in drives to a Windows desktop and run the tools against them, save the final screen to disk as proof the wiping occurred.  Good enough for any auditor that might review your data sanitization process.  For server drives like SAS, SATA II or Fibre Channel drives, there are controllers that can be added to a desktop to allow you to see and wipe these drives as well.  

Sanitization Station:

After running these tests to decide what the Policy, Standard and Procedure will be, the next step is to setup a system to do the wiping.  Keeping in mind that several pieces of information are needed to make sure your sanitization is complete and will stand up to an audit.  Here is what I came up with for a small Sanitization Station or stations:
 

  • Windows PC.. (Yeah I know we all love Linux)
  • Install all vendor disk tools for Windows
  • USB to SATA/IDE adapter
  • SAS/SATA controller
  • Install KillDisk Windows
  • Install Secure Erase
  • Install SDelete 
Optional:

Run SATA cable externally from internal controller to improve speed, though I found for this function speed  was not an issue using a USB connected solution.  We are not transferring any data, just a few commands.

This setup would let you wipe most drives we use today including flash, thumb, USB, SATA and SAS drives that are found in servers along with older IDE drives and many memory cards used in cameras, phones and smart devices.

A Windows system because it provides you a simple screen capture that you can then paste into a Word document to capture and save the Repair and/or Wiping of the drive for audit purposes.  This is difficult to do on a bootable ISO image as there is no easy way to grab the output of the results from the wiping unless the solution builds in saving to another USB device.
With any drive recycling, auctioning old hardware, service calls or whatever reason a drive must leave your building, the proper paperwork is needed to show it was accounted for and verified wiped or destroyed.

RESOURCES:

KillDisk is the clear choice as it has a FREE 1 pass wipe option and a commercial solution to do multiple drives on multiple systems, data verification and meet DoD wipe requirements.

The vendor tools finish a close 2nd as they are also fast and provide an option to repair/validate your drive in the case you are recycling a system for reuse.  For true drive repair and data recovery, nothing beats Steve Gibson's SpinRite!!

 
GRC SpinRite:
http://www.grc.com/spinrite.htm

Tools:

I hesitate to recommend 'Boot and Nuke' since it is so slow (3x+ slower) and drive wiping is time consuming, so I am pointing you towards the most efficient solution.  Nor can it provide a report like KillDisk and the Vendor Tools running under Windows can.

KillDisk:
http://www.killdisk.com/

Secure Erase:  (For all drive types, including thumb drives, flash and SSD's)
http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml

SDelete: (Microsoft/SysInternals) utility to wipe drives, files or free space)
http://technet.microsoft.com/en-us/sysinternals/bb897443

Drive Vendors Tools:

Hitachi:
http://www.hitachigst.com/support/downloads/#DFT

Samsung:
http://www.samsung.com/us/support/SupportOwnersFAQPopup.do?faq_id=FAQ00000083&fm_seq=251#

Seagate and Maxtor:
http://www.seagate.com/www/en-us/support/downloads/seatools

Western Digital: (Select your drive and select the correct version of DLGDiag)
http://support.wdc.com/product/download.asp?modelno=DLGDiag&x=0&y=0

General Info:

Security through data erasure website:
http://www.dataerasure.com/

Government Docs:

DSS Clearing and Sanitization Matrix:
http://www.oregon.gov/DAS/OP/docs/policy/state/107-009-005_Exhibit_B.pdf?ga=t

NIST 800-88:  Guidelines for Media Sanitization:
http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf

Common Criteria Validated Products List: (approved wiping tools and other stuff):

 http://www.niap-ccevs.org/cc-scheme/vpl/ 
  • Be sure to use the FREE KillDisk version for home computers or Boot and Nuke to wipe your personal drives before you give or sell them to someone.


(I) Update to Blogging with an iPad and Social Dashboard

Thanks to a friends suggestion, I tried a Social Dashboard App called HootSuite to solve the post to many sites need.  This app or browser solution is similar to TweetDeck and Ping.FM.  The primary feature this app does for me when posting a Blog is a built-in link/URL shortener Button using Ow.ly and saving me from having to copy my long URL into the Ow.ly website to shorten it then copy that to my Ping.FM post.  Hoot also eliminates me having to use Ping.FM and Hoot is an actual iPad app where Ping.FM is an iPhone app and Ping.Fm app does not have a built-in URL shortener.  For browser users, Hoot lets you add your Ping.FM account.

The App also makes a nice dashboard for your Social sites, though limited in available sites, where Ping.FM shines, it does have Twitter, Facebook, LinkedIn and Foursquare for the iPad and adds Ping.FM the Japanese social site Mixi and MySpace and WordPress in your Browser.

All in all a nice edition to iPad Blogging and a nice Social Dashboard...

No Google+ yet.. ;-(



(W) Warning Will Robinson.. Walgreen's Phishing scam looks real !!!

I just received the following password reset email from Walgreens...

Or is it fake?  Can you tell the difference?

I forwarded this email to Walgreens to inform them of the good looking Phishing attempt along with a REAL password reset email that I generated...

You REALLY need to pay attention to these types of emails or you WILL get your account compromised!!!

Remember what I say... "Don't Click on THAT!!!!" dot commmmm...

ALWAYS go to the website directly and generate a request or login and make the change.

Happy Ho Ho Ho Holidays.

Stay Secure my friends...



Monday, December 19, 2011

(I) Health Care lost laptop... Really people... Beyond Stooopid!!!


I am amazed, well, not really... That companies that use Healthcare data still allow people to have this type of data, or any other PII, SPI, FTI, PCI or PHI type data to reside on a portable device like a laptop or USB drive that is NOT encrypted by default.

It's hard to believe with BitLocker being free on Windows 7 devices and the OpenSource TruCrypt, not to mention several other commercial solutions, that companies are still not encrypting drives with confidential data on them.

In the article below, $6000 was paid for credit monitoring for each owner of a lost record due to breach notification, $1000 per record lawsuit they face and the total costs at roughly $288,000 for the incident.  This cost alone can not seem to convince people to encrypt their confidential data!!!  It blows my mind that this type of data loss continues when there are cost effective solutions that would easily cost less than 10% of the breach.

Simple fix... Encrypt your portable devices and you won't face this risk...




Friday, December 16, 2011

(W) What have you downloaded on BitTorrent?

There is a new website or service that allows you to check if your IP address has downloaded a BitTorrent file.  Why?  Because users of BitTorrent are NOT private and much like the lawsuit by the makers of 'The Hurt Locker' They can use this type of information to prosecute you.  Not specifically from this website, but equally obtainable information...
The moral?  Don't download illegal content !!!!  People ARE getting prosecuted...  Read my previous Post here:

Monday, December 12, 2011

(W) Card Skimmers found in Self-Service checkout line in grocery store

I have written about Credit and debit card skimmers telling people to go inside and get their cash and avoid using outdoor ATM devices.  Well thanks to My friend Martin pointing out that Lucky's Supermarkets in California just found some 20 Self-Service checkouts had card skimmers attached.. INSIDE the store!!! Where people SHOULD be watching!!!

Alas, the nefarious ne'er-do-welles have found that self-service checkouts at not so LUCKY'S are not as well monitored and managed to replace units in 20 stores.
I still say inside is safer than outside, but now I would add... Use a staffed register to gain cash... Or if you use a Self-Service checkout.. Wiggle and yank the unit card reader and get to know what your stores systems look like so you can detect anything out of the ordinary...

I am still looking to find my first skimmer dang burnet...

So as Martin so accurately pointed out n his Tweet to me... Buy Beer, not a pack of gum... At a staffed register.

Sunday, December 11, 2011

(I) How to Blog with an iPad

So you wanna Blog...


With the recent IOS 5.0 and 5.1 upgrade to my iPad, which broke all my blogging apps (BlogPress, Blogsy and Blogger+), I had to resort to the old fashioned way.. use a browser.  Well I don't like to blog at my desk at home, I rather capture my thoughts over lunch or while watching a show or a football game... "GO PACKERS!".

Since I got my iPad I have been blogging 100% on my iPad, with only a few exceptions where I opened the browser to correct the Blog site or add a file or page, something not easily done from the iPad.  By the way, I use Blogger for my Blog, so no WordPress info here, except many of the manual steps would apply for any Blogger.

When the Apps broke, and I mean can't use them broke, who knows why (IOS 5 upgrade obviously), but I was unable to post a single thing via the iPad, and with BlogPress breaking I had to find a more manual way to Blog and post items.  Using your browser you still have to take your Blog entry and copy it into Facebook, Twitter, LinkedIn and Google+ or use an aggregator link Ping.FM to replicate it quickly.

With the Blog Apps broken, I set out wondering how to do this manually using multiple tools vs. relying on BlogPress like I had up to this point.  Let's first look at what my, and I am sure others requirements are to Blog and post.

1.  Write the Blog of course - All the Apps do this, write it in whatever you want 
2.  Add pictures
3.  Resize pictures so you get a consistant size in your posts
4.  Add links
5.  Text formatting
6.  Some sort of upload to a picture repository like Flickr or Picasa
7.  Post to Facebook
8.  Post to one or more Twitter feeds
9.  Post to LinkedIn
10.  Post to website
11.  Post to Google+

Simple right?  Apparently not...  Up until the last month when I updated my iPad to IOS 5.1, BlogPress did it all, well most of the above anyway.  By far BlogPress is the best Blogging App available, but alas, since it is dead I cannot use it anymore...  So how was it done before BlogPress ?

Via the Browser and the middle of the road iPad blogging Apps I guess.  The only App that works now is Blogsy.  Blogger+ was updated in the last couple days, but it is so limited you might as well use the Browser to create your Blog entry.
So what is the process to Blog and publish manually ?

Well first you need pictures...  Every Blog post needs a picture to help grab the eye and attention of the reader.  On the iPad you just search Google Images and take a snapshot (press both buttons) to add the screen to your Saved Photos Library.  Next, you use a killer app called 'PhotoPad' to crop and resize your photo and then save it.  I use a 100 pixel width for my blog pics and I do not size them in PhotoPad, I do it in the Blogging App, BlogPress or Blogsy.

Second, you need to upload the pictures to your Cloud based repository like Flickr and/or Picasa.  Now this is where BlogPress shines... It does it as a part of posting your blog.  Blogsy does not and you have to upload them before writing your blog entry.  For uploading cropped and rotated pictures to Picasa and Flickr I use Web Albums for Picasa and FlickStackr for Flickr.  Both of these Apps manage your Cloud Photos really nicely for viewing or uploading.  Once you do this you can delete the pics from your Saved Photos library and keep your iPad memory freed up.

Third, you need to save your URL's and links that you will reference in a Blog entry so you can just cut and paste them into your Blog Post.  All I do when I read something worth saving on the InterWebbings or in RSS is send them to one of my email addresses with a subject.  Now when I want to Blog I have the link to copy and paste.. easy.  The email also acts as a ToDo list for Blogging.

Forth, write your Blog Entry.  I am currently using Blogsy and it is the 2nd best App for Blogging since it does NOT post to facebook and Twitter like BlogPress used to do or does Blogsy upload pics to Picasa like BlogPress did as part of posting.  Hurry up #BlogPress and update your App for IOS 5... PLEEEEAAASSEE !!!!  Blogsy does have some nice formatting tools to color your text and format it.  I am not a fan of Drag and Drop pictures from your Picasa or Flickr accounts as I can't get them quite where I want them and often it kills links I have at the end, an odd bug...  But it is what this entry was made with.
Fifth, it is time to post....  I publish the blog entry and while I am there I select and copy the title for posting to the other sites...

Sixth, Send to the other sites...  I use Seesmic on the iPad which has a profile for my Ping.FM account that allows me to post to my website, Facebook, Twitter and LinkedIn with one post...  I paste the title that I copied in Step 5 and then I open Safari, go to my Blog and copy the URL to the specific post, and paste it into the URL shortener Ow.ly (OW.LY website) and then paste it into Seesmic for the Ping.FM profile to send out since you are still limited have the 140 character limit Twitter imposes you want to use short URL's.  Before I hit send, I Select All and copy it for Step 7.

Seventh, Post on Google+...  I open the Google+ App on my iPad (iPhone App really 2x) and paste the entry from Step 6 and send...

Now I have made my Blog entry....

Simple huh?

Come on BlogPress....   Update your App.  I would only need to post to LinkedIn and Google+ when I use BlogPress and skip the Sessmic step since Google has yet to allow API posting to Google+ via apps like Ping.FM.

Tips and Tricks?  Send me an email... you know how...

Friday, December 9, 2011

(R) BrowserID option over OpenID, OAuth and others

The folks over at Mozilla are pushing for this to be the next Internet Authentication Standard.  BrowserID uses your validated email address and password to authenticate you to websites like the Facebook icon does when you select it 'Login with your Facebook ID' does or any OpenID or OAuth login does, but easier.

Take a look... it makes total sense to me.


Test drive the authentication process using an appropriate for engineers to create...  My Favorite Beer..

(W) Warning !!! If you have seen one of these.. Cancel your Credit/Debit Cards

Especially my friends in Southern California..  This was found in my old stomping grounds.  ATM Skimmers WILL drain your bank account, so beware when you use any outdoor ATM Credit Card device!!!

Need cash?  Go into a supermarket, WalMart, Target etc., buy a pack of gum and get cash back!!

(I) How to validate shortened or any URL's are safe

If you see these shortened URL's from Bit.ly or O.wl and you want to know if they are safe, then use these 3 websites to do just that.  would also work for any length URL...FYI

Securi SiteCheck allows you to enter a URL, like the one in this article and it will crawl the website to look for any known Malware and provide you a nice report.

Google SafeBrowsing allows you to modify the end of the URL below and replace it with a URL you want to check and Google will lookup if the URL is or ever has been bad.

And F-Secure Safe Links for web sites allows you to add a plug-in to a website, it is what I use on HackerHurricane.com to validate all the URL's that I use in my Blogging.




If you are browsing using FireFox or Chrome, add the plug-in/extension called 'Web of Trust' (WOT).  This little add on will show you a Re, Yellow, Green or Grey circle next to each link/URL showing you it is safe (green), warning (yellow), unsafe (red) and unknown (grey).  Treat all unknowns/grey as RED since mentions in Twitter often have new URL's that have yet to make it to the unsafe database.


Thursday, December 8, 2011

Monday, December 5, 2011

(W) Yahoo Mail users - DON'T CLICK ON THAT !!!


Here we go again with Phishing attempts to gain your username and password...

NEVER, EVER, EVER provide your username and password or any other personal information to validate an account or login.  The website or company will NEVER do this, so don't fall for something so obvious...

And yahoo can't block this ???  Can you say "FAIL!!!"

#InfoSec  #Yahoo  #Phishing




Friday, December 2, 2011

(I) VanishCrypt..Fails practical use

If you are looking for a solution to encrypt USB Devices, this new solution fails practical use.  Practical use is where a newb or greenhorn can install a tool and use it.  There is no installer, you have to run a tool to add some needed Windozs components and register an .OCX file, so only for the geeks at heart.

TruCrypt still reigns king in the encrypted USB drive space.

http://code.google.com/p/vanishcrypt/


Thursday, December 1, 2011

(R) Research on HP Printers

We have all recently read the articles on the HP printer vulnerability, but after a friend said "this seems to be a pretty targeted attack scenario..." I replied back saying.. "Not really, I discovered years ago with JetDirect printers that you can harvest data" and as another friend pointed out today even Nessus can lock up the JetDirect Print Server and interrupt print jobs..

Using the oldest trick in the book... Cough...cough.. Telnet port 80....

You can obtain data from HP printers easier than easy..

HTTP/1.1 400 Bad Request

Connection: close

Server: HP HTTP Server; HP Officejet Pro 8600 - CM750A; Serial Number: CN19T1K0W

V05KD; Coulomb_pp Built:Wed Sep 07, 2011 11:21:09PM {CLP1CN1136AR, ASIC id 0x00320104}


Yup... Now if you read this from a simple telnet query, you can grep what you're looking for and know exactly what firmware sploit to throw at an HP printer..


Not targeted, just plain stooped to serve up so much info...


HP... Epic FAIL !!!!



Taking a Blogging break.. Not by choice.. By IOS 5 upgrade

IOS 5 has broken all my iPad Blogging Apps, so until they work again I am on a 'Blogging Break'.. Or is is 'Break Blog'?

I could use a browser... but seriously, why should I have to?

#BlogPress #Blogsy #Blogger+

Tuesday, November 22, 2011

(I) LastPass users MUST take this challenge, how strong are your passwords?




If you are a LastPass user, then the LastPass Security Challenge is a must do. You can email your results to your colleagues and have a contest of who can get the highest score. It shows you how many duplicate passwords you have in your vault along with The strength of each and links to change them.

LastPass Security Challenge

#InfoSec #LastPass

Monday, November 21, 2011

(I) LastPass adds Google Authenticator option for your phone

LastPass has added the option to use your Smartphone as your second factor authentication token. Very nice option for those of us that have iDevices, Android or BlackBerry... For those that use some other cell phone... You can use YubiKey or a USB thumb drive and the Sesame option.

Wednesday, November 9, 2011

(I) LastPass adds Google Authenticator so your phone adds 2 factor Auth

If you are a LastPass user or thinking of sing LastPass as your password manager, which I highly recommend... They have added the option of using your smartphone with the Google Authenticator app as your 2nd Factor 'something I have' authentication. Now your password vault can only be opened if you have your phone and enter the Google Auth code from the App... Very kewl LastPass!!

Friday, October 7, 2011

Two Greats in InfoSec and technology passed this week




Dr. Eugene Schultz, a famed Information Security expert passed away suddenly this week. For those that met Gene or had a chance to hear him speak, you are one of the lucky ones. I had the opportunity to talk with him on many occasions. Dr. Schultz will be missed and there is no doubt many people got into Information Security because of what he shared over the years.

Rest securely Gene!!!



Steve Jobs, a genius and technology revolutionary also passed away this week. Steve helped create the Apple or Windows debates and that has led to an improvement to security as well. I used to say, "Just look at all the applications you see in Computer City, Incredible Universe and CompUSA". Windows was clearly the winner... Not so fast... The App store through Steve's genius clearly now shows Apple has won the most available apps game, and yes Apple systems are far less exploited than Windows systems and thus more secure.. Yup I said it.. Apple shtuff is more secure.

Rest well Steve, you changed the world!!!

#InfoSec

Tuesday, September 27, 2011

(W) So you think you are clever and anonymous when using anon proxies and VPN?




Are you one those people that hide your Internet activity by using anonymous proxies or an anonymous hidden secret VPN solution?

Think you are truly secure and obscure? Think again..

A web proxy service has come under fire after a federal indictment revealed that the company cooperated with U.S. authorities in their investigation into the hacking of SonyPictures.com.

HideMyAss.com, a VPN service that encrypts one's traffic to enable users to surf the web anonymously, was ordered by a U.K. judge, at the request of FBI agents, to release log information about an Arizona man who was arrested Thursday for his role in the Sony intrusion.

SC Magazine article

#InfoSec

Monday, September 26, 2011

(I) Card Key system updated by the vendor - research to continue




We received updated hardware and software from the vendor we are working with from the original vulnerability/exploit and setup this Testing configuration in order to test and verify any improvements the vendor integrated into the new hardware and software.

It is a simple emulation of a Card Key reader that triggers a buzzer when the user is authorized to enter. The buzzer is clearly smaller than an actual door lock..

It works like a charm, the Cards were added, given permission and tested to open the door, aka sound the buzzer for 5 seconds to emulate the door unlock period.

Stay tuned as we continue our testing on the update or attend one of the two InfoSec conferences where we will be presenting.

HouSecCon 2011 - Houston Nov 3rd

Security BSides DFW 2011 - Dallas Nov 5th

#InfoSec #keycard #cardkey

Wednesday, September 21, 2011

(W)(I) Do you store email on your Cloud email provider servers?




If you are like most of us today, we all use and rely on Internet email and especially those that are browser based like Gmail, HotMail, Yahoo mail and others.

Do you also store information you would consider 'confidential' like Health, Financial and photos of yourself?

Recently Kunis Scarlett Johansson, Christina Aguilera, Lady Gaga, Miley Cyrus and High School Musical's Vanessa Hudgens have all had pictures stolen from their emails and smart phones because they stored these pics in the cloud and probably had easy, discoverable or guessable passwords.

If you do store confidential data in the cloud, you should seriously consider long and complex passwords and a password manager like LastPass to remember the passwords and URL's and make it easy to keep track of all those websites we have to login to these days.



#InfoSec #LastPass

(W)(I) Your GM OnStar enabled car will rat you out starting Dec 2011




Yup.. GM cars with OnStar will start in Dec 2011 sending critical data to GM whether you want to or not... So if you are going too fast, get in a fender bender, don't use your seatbelt or various other items, GM will provide this info to Insurance companies, law enforcement when asked and send you service notices, without you 'Opting in' to the program...

So now your GM car is a 'Dirty Rat'..

PacketStorm article on GM.. You Dirty Rat..

#InfoSec #OnStar

Thursday, September 15, 2011

(I) BackTrack 5 Wireless book now available




Vivek Ramachandran has written a beginners book for BackTrack 5 WiFi Tools that is a must read for new or seasoned InfoSec Pros that want to learn about this Live CD Tool that should be in every InfoSec and Forensic Toolkit.

Hacker News article



#InfoSec #BackTrack

Friday, August 26, 2011

(W)(I) Care to know how many malware samples go to an AV vendor per day??




Anti-Virus vendor Sophos just released their "Mid-year 2011 Security Threat Report" and stated the following...

"Since the start of 2011, we've seen 150,000 malware samples ever day. That's a unique file almost every 1/2 second, and a 60% increase as compared to malware analyzed in 2010. We've also seen 19,000 new malicious URL's each day in the first half of this year. And, 80% of those URL's are legitimate websites that were hacked or compromised".

If this doesn't surprise and spook you into improving YOUR Internet surfing and use behavior, like I promote with 'Don,t Click on That', then you WILL be one the statistics above.

Safe Surfing... Errrrr Good Luck on the InterWebbings !!!!



Sophos Mid-year 2011 Report

#InfoSec

Monday, August 22, 2011

(I) Facebook publishes a Security Guide - a MUST read




This is a MUST read for all Facebook users young and old! This 14 page guide will explain many of the ills of being a Facebook user and some things you can do to protect yourself.

And be sure to add "Web of Trust" (WOT) to your browser to show you safe and bad links within FB messages... Don,t Click on anything that is NOT green!!!!

A Guide to Facebook Security (PDF)

#InfoSec #Facebook

Thursday, August 11, 2011

(I) FireCAT - Security Audit extensions for your browsers




Here Kitty Kitty...This is swEEEt! Ever want a list of all the security related extensions for FireFox and Chrome?

Well FireCAT is it! Download the local HTML files and have a nice browsable index of security audits browser plug-ins and add-ons.

FireCAT website

#InfoSec #FireCAT

Tuesday, July 26, 2011

(T) Ethical Hacker Video Training - FREE




Want to learn some Ethical Hacker skills? Thanks to the folks over at Logical Security you can. View over 25 hours of videos on CEH training - FREE!!!!!

LogicalSecurity CEH Training videos

#InfoSec #LogicalSecurity #CEH

Monday, July 25, 2011

(I) check out a collection of info on recent Hacks.. CNET Hacker Chart







Very kewl... CNET has compiled info on recent hacks... It shows when the hack occurred, the type of hack, who got hacked and by whom, lost IP and other info and links... Very handy.

CNET Hacker chart - Google Doc

#InfoSec #CNet #Hacks

(I) Want to see how websites track you graphically?




Ever wonder what websites track about you and how they are related? Now you can with these two Firefox add-ons.


Ghostery website


Collusion Toolness website

Thanks Steve Gibson for these!

#InfoSec #Ghostery #Collusion #SGgrc

Thursday, July 21, 2011

(I) Microsoft Forefront Event Log ID's







If you are a Microsoft ForeFront user and want to know an undocumented Event Log item, here you go...

You can setup email alerts and get flooded with un-actionable information, or tweak the settings to reduce the noise, which you should by the way.

But what about those of us that use SEIM or logging solutions? You can find some event ID's in TechNet, but here are two that you really need that are events you should take action on...

3007 - Forefront Endpoint Protection Alert: Malware Outbreak
3009 - Forefront Endpoint Protection Alert: Repeated Malware Detection
3010 - Forefront Endpoint Protection Alert: Multiple Malware Detection

Ignore EventID '3006 - Malware Detected' as it is just noise and not actionable as the AV client acted upon it, the three above are what's actionable.

Look for these two events from the source Fepsrv or use Wevtutil.exe to query your servers event logs for these two events.

Wevtutil qe "Forefront Endpoint Protection" /q:"*[System[(EventID=3009 or EventID=3010)]]" /r:system_name /f:text

Or look for events in the last 24 hours:

Wevtutil qe "Forefront Endpoint Protection" /q:"*[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]" /r:system_name /f:text

43200000 - 12 hours
86400000 - 24 hours
129600000 - 36 hours
172800000 - 48 hours
604800000 - 7 days
2592000000 - 30 days

You can pipe it to a file ">file_name_AV.log" if you want to as well.

If you see them, take action, these are bad offenders getting repeated malware of the same kind or received multiple malware at once, either way these systems need some attention. Are they Administrators? I recommend a re-image, if not then maybe a deep scan. Create a process flow that your admins can follow when alerts occur and consider having the Forefront alerts send an email to your Help Desk solution to automatically open tickets for these items, ignore the 'a user has Malware' alerts and set 'Malware Detection Alerts' to 'Medium' to reduce some noise.

Logs have good data you can act upon if you look, find what you want and parse it out so what you see is actionable... Not hard if you do a little prep.

#InfoSec #ForeFront #eventlogs #Wevtutil



Wednesday, July 20, 2011

(I) Want to force all Internet sites to use HTTPS?







If you want to make sure your web surfing always uses and forces websites to use HTTPS (encrypted connections) to prevent ne'er-do-wellers from sniffing your surfing, logins and other info you might enter while using the InterWebbings.. Then use FireFox and add EFF's add-on 'HTTPS Everywhere' and poof! If a site has HTTPS, this little add-on will force it to use HTTPS... Handy, oh yeah.. Donate them some $$$$, they fight for our Internet rights!!!

EFF website download

#InfoSec #EFF

(W) If you see this message while Googling.. Your screwed !!!




If you see this message while searching for something on The Google.. You're screwed and your computer needs to have Windows re-installed.

Google now looks for certain types of behavior from clients that indicate a system is infected with Malware, if you are,The Google will popup the above message and tell you. Only in your browser, so if you see an email with this message.. WARNING WILL ROBINSON.. It's malware via email trying to get you to click on that.. And we all hopefully know.. 'Dont Click on That!'

If you do see this message, then your system needs a rebuild! Plain and simple, don't pass go and try to 'clean' your computer, the fact you are infected and see this message means your system is not security worthy and other problems most likely exist.

So what do you do? Read my article "Top 10 Tips - If your Windows PC or an account has been hacked" and rebuild your system with these tips to avoid future issues.

Thanks Google!

Brian Krebs article on the Google warning

#InfoSec #Krebs #Malware #Google

Thursday, July 14, 2011

(I) Microsoft to block common passwords for HotMail users







Hard to believe that Micro$oft of all people is taking the lead in such an obvious area as passwords. With all the password breaches Micro$oft feels it is time to block many of the more stoopid passwords that people use.

List of Top 500 worst passwords

For years we have been Whitelisting (allow) and Blacklisting (block) websites with web proxies in the corporate world, it is obvious to implement a blacklist for known bad passwords as well. Frankly, EVERY Internet facing website should implement this feature to not just protect your users, but improve customer service. How is at you say? Well, if you are suffering from a brute force attack that either creates a DoS situation locking out thousands of your users, because you know they use crappy passwords and locking out their account to keep it from being breached is the best option.. Sucks, but the best option. Unless you want to force two-factor authentication on your users, forcing them to use stronger passwords so you can ignore typical brute force web based attacks is the best low cost solution you can do.

Many web and email proxies and web filtering solutions like OpenDNS and Norton Online Family use blacklist providers to block users from going to well known bad sites and email senders.

This is an easy solution to implement and I would hope Micro$oft would use their reason (too many p0wned accounts.. Aka too many customer support calls and emails) to implement common password blocking into a service that we all can use and access, just like URL Blacklists..

Your ability to create ridiculous and easy passwords is coming to an end... Start considering using solutions like SuperGenPass, LastPass, PasswordSafe, RoboForm and other password managers to avoid this issue in the future.

Come on FaceBook, Twitter, Gawker, Sony... The list is endless.. Get a clue from... I can't believe I am going to say this... Microsoft and implement common stoopid password blocking!!!

Article on MS HotMail common password blocking

#InfoSec #HackerHurricane