The most common and dangerous passwords

Click image to enlarge

Effective security incident handling : A quick guide

This is a reproduction of my original article posted on Techtarget:

In today's broad, collaborative corporate networks, an incident may be classified as an action on an IT system which involves activities such as theft of intellectual property, cyber harassment, unlawful access, modification to code with intent to harm, and so on. However, every company has its own definition of an incident. Listed below are a few procedures to follow during security incident handling.

Detection of incidents: While going about security incident handling, the primary step is incident detection. Detection of incidents is dependent on the controls that your company has put in place. A detection system is usually a combination of technology (intrusion detection system (IDS) or intrusion prevention system (IPS), security information and event management (SIEM), along with human reporting such as help desk, end user, and system administrators.) However, few corporate entities have adequate detection systems in place. At the end of the day, it does not matter how you detect the incident. What is important is to record certain details such as:

• Time and date

• Who (or what) reported the incident

• Nature of the incident

• When the incident occurred

• Hardware or software involved

• Points of contact for involved personnel

Initial response: The next step in security incident handling is initial response. Typically, initial response involves not touching the affected system(s). Data is collected reviewing network-based as well as other evidence. This phase involves:

• Interviewing system administrators who might have insights into the technical details of an incident

• Interviewing business unit personnel who might have insights into business events that may provide a context for the incident

• Reviewing intrusion detection reports and network-based logs to identify data that support occurrence of an incident

• Reviewing network topology and access control lists to determine if any avenues of further attack can be ruled out

Devising a response strategy: Response to an incident is dependent on its severity. While, going aboutsecurity incident handling, one will also need answers to the following questions:

• How critical are the affected systems?

• Is it affecting business as usual (BaU)?

• Is there a scope that intellectual property has been compromised on?

• Is there an insider threat?

• What is the revenue loss?

• How much downtime is needed to investigate and mitigate the incident?

Incidents vary widely, from virus outbreaks to theft of customers' credit card information. For example, a typical virus outbreak generally results in downtime and lost productivity; or the theft of customers' credit card information could put a fledgling dot-com operation out of business. Response strategy for each event will accordingly differ.

Evaluating the responses and taking action: Once an incident has been identified and initial investigation conducted, the next step to follow during security incident handling is evaluating the options. It is essential to evaluate the options of responses. But time is also of essence.
Additionally, during security incident handling, the response team needs to weigh in all the pros and cons before implementing any strategy. For example, some amount of downtime is needed to fix a defaced website. This downtime may get extended while the system is being imaged for forensic investigations. If it is an external attack, you might have to involve law enforcement agencies, while unauthorized access may simply involve rewriting the access control list.

Hence the response strategy options for security incident handling should be quantified to the following:

• Estimated dollar loss

• Network downtime and its impact on operations

• User downtime and its impact to operations

• Whether or not your organization is legally compelled to take certain actions (is your industry regulated?)

• Public disclosure of the incident and its impact to the organization's reputation and business

• Theft of intellectual property and its potential economic impact

Post incident analysis: Finally, as a conclusion to the process of security incident handling, the entire response cycle should be well documented and analyzed post resolution. Policies and technologies should be changed (if needed), as an outcome of the analysis.

Download your personal data from Facebook

Facebook got a new tool that lets you to download a copy of your information, including your photos and videos, posts on your wall, all of your messages, your friend list and other content you have shared on your profile. Within this zip file, you will have access to your data in a simple, browse able manner (it may not be complete in some cases).

To begin this process, go to your Account Settings page, then click the "learn more" link beside "Download Your Information." From there, click the "Download" button.

Downloading a copy of your information may come in handy if it only exists on Facebook. For example, you may have lost your mobile phone, which contained many photos you took using that phone. If you had uploaded those photos to Facebook, then downloading your information lets you get copies of them back on to your computer.

How to Tell if a File is Malicious

If you’ve just downloaded a file to your computer how do you know if it’s safe to run it? These days many malicious files are specifically designed to seem safe in order to trick you into running them. As soon as you do they go about their nefarious purpose and may infect your computer, steal your credit card information and passwords, or other tasks which I can promise you won’t enjoy. So how can you tell the difference between these files and the legitimate ones? This may seem like a very difficult task, but surprisingly it’s not too much work. Below are three methods which you can use to check a file. Most will take only minutes of your time and they won’t slow down your computer at all.

The first thing you should do when checking to see if a file is dangerous is to find out if any antiviruses (AV’s) detect it as dangerous. The best way to do this is to upload the file to a site where it will be scanned by multiple AV’s. One of the best sites for this is VirusTotal. This site will scan your file with over 40 scanners and show the results separately for each one. This entire process should take less than a minute. You can upload files that are up to 20 MB in size. Interpreting these results can be tricky, but if a significant number of scanners show a warning then the file is likely to be dangerous. Below are two examples of results for files that are indeed malicious.

The downside to using VirusTotal is that malware is being created so quickly that in order to try and keep up with it the antivirus companies are forced to use heuristic detections and generic signatures to catch them. The problem with these is that they may incorrectly identify a legitimate file as malicious. This is known as a false positive. If one or two AV’s detect a file with heuristics and the other AV’s do not, then it is likely a false positive. If your AV is the one that detects it then you should report it as a false positive to your AV. Most AV vendors have a procedure for doing this which will be explained either on their website or in the user guide (help) which comes with the program. In case you don’t want to search for this a comprehensive list of where to report false positives and suspicious files is given on this page along with other useful information. Below are two examples of legitimate files that are being incorrectly identified as dangerous by VirusTotal.

There are a few cases in which multiple AV's may detect a legitimate file as dangerous. One of the most common is that the file may perform an action that is routinely seen in malicious files, but in this case is being used for a legitimate purpose. This would likely cause it to be detected with heuristics. Another possibility is that it could be detected with generic signatures. These search for pieces of code that are very similar to those found in known malware. The problem is that sometimes small pieces of legitimate code can resemble that found in malware. In this way a legitimate file can be marked as malware. Yet another possibility is that AV companies tend to share detection signatures. Thus if one AV vendor finds a file to be dangerous another may quickly follow.

In addition to checking whether any AV’s currently detect the file it’s also a good idea to check if the behavior of the file seems malicious. There are many websites that will analyze the behavior of a file and give you their opinion about whether it might be malicious or not. Two of the easiest to use and understand are Comodo Instant Malware Analysis (CIMA) and ThreatExpert. The latter is maintained and operated by PCTools.

CIMA will display the results immediately after its analysis. This could take anywhere from one to five minutes. This time depends greatly on how long it takes the file itself to run. Also, there is no limit to the size of the file that can be uploaded. The results of the analysis are given near the end of its report and will give you its opinion of the file. If it says that the “Auto Analysis Verdict” is “undetected” then it did not find any suspicious activity in the behavior of the file. The verdict can also be Suspicious, Suspicious+, and Suspicious++. These indicate that it found suspicious behavior in the file with Suspicious++ being the most suspicious. It also lists the reasons it found it to be suspicious directly below the verdict. Below are examples of one file that is undetected and one that was found to be Suspicious++.

ThreatExpert will send you the results via email. This should usually take less than ten minutes from the time you uploaded it. The maximum file size that you can upload is 5MB. If it finds the behavior of the file to be malicious it will have a box called “Summary of the findings” near the top of the report. Inside of here it will list the behaviors that were found to be suspicious and how severe it thinks they are. Below are examples for two malicious files.

The response time for both of these services may vary greatly depending on the complexity of the file and the server load. You can also scroll through the detailed information about the behavior of the file to learn even more about the behavior of the file. Advanced users should also check out Anubis. This provides much more information about the behavior of the file, but may be difficult to interpret for some users. It generally takes a few minutes to analyze, but may take much longer depending on the server load. Anubis also provides a verdict of whether the file is suspicious or not, but I find it to be less reliable than that of CIMA or ThreatExpert. Remember that these services are not 100% accurate. Legitimate files can be flagged as suspicious and dangerous malware may not be caught. In fact some malware is even able to tell whether it's running in a virtual environment and not run. Just bear this in mind when viewing the results.

One almost certain way to check if a file is malicious is to submit it to an AV vendor for analysis. The drawback is that it takes time before you get their response and doesn’t instantly provide the information necessary to make a quick decision. Some vendors will send an email with the results of the analysis. A few of the most notable are Avira AntiVir, Kaspersky, and McAfee. With these vendors you will usually receive a response within a few hours.

It’s generally a good idea to rely on multiple methods in order to determine whether a file is malicious or not. If a file is found to be suspicious by any of these methods it’s a good idea to report it to your own AV as suspicious. This way if the file is dangerous it will be detected and you will be protected from it in the future.

There is currently no 100% certain method for knowing whether a file is malicious or not, but by following the methods discussed on this page you should have enough information to make a very informed decision.

Credit to Chiros @ TSAlert for this kick ass article!

Must have security addons for your Firefox

One of the reasons I like Firefox is the addons. Gives me the ability to customize my online experience. But another reason is the security. Addons allow me to extend the security of the browsing experience. Here are some of the extensions I personally use and recommend:

No Script
Winner of the "2006 PC World World Class Award", this tool provides extra protection to your Firefox.


It allows JavaScript, Java and other executable content to run only from trusted domains of your choice, e.g. your home-banking web site, guarding your "trust boundaries" against cross-site scripting attacks (XSS), cross-zone DNS rebinding / CSRF attacks (router hacking), and Clickjacking attempts, thanks to its unique ClearClick technology. It also implements the DoNotTrack tracking opt-out proposal by default, see http://snipurl.com/nsdntrack .

Such a preemptive approach prevents exploitation of security vulnerabilities (known and even unknown!) with no loss of functionality...
Experts do agree: Firefox is really safer with NoScript ;-)


Web of Trust - WOT, the safe browsing tool
Web of Trust is the leading website reputation rating tool and one of Mozilla’s most popular add-ons. Our safe surfing tool uses an intuitive traffic-light style rating system to help you see which websites are trusted when you search, surf and shop online.



WOT ratings are powered by a global community of millions of trustworthy users who have rated millions of websites based on their experiences. The WOT add-on provides reputation ratings to search results when you use Google, Yahoo!, Bing, Wikipedia and other popular sites, helping you protect your computer and personal information. Your online email account – Google Mail, Yahoo! Mail and Hotmail is also protected.

Join the WOT community and help us boost trust on the Web. WOT is recommended by the New York Times, CNET, PC World, Kim Komando, Tech Republic, PC Welt and many other respected authorities.


FoxyProxy
FoxyProxy is a Firefox extension which automatically switches an internet connection across one or more proxy servers based on URL patterns. Put simply, FoxyProxy automates the manual process of editing Firefox's Connection Settings dialog. Proxy server switching occurs based on the loading URL and the switching rules you define.



Animated icons show you when a proxy is in use. Advanced logging shows you which proxies were used and when. QuickAdd makes it a snap to create new URL patterns on-the-fly. FoxyProxy is fully compatible with Portable Firefox, has better support for PAC files than Firefox itself, and is translated into more than 25 languages.


Better Privacy
Better Privacy serves to protect against not deletable longterm cookies, a new generation of 'Super-Cookie', which silently conquered the internet. This new cookie generation offers unlimited user tracking to industry and market research. Concerning privacy Flash- and DOM Storage objects are most critical.
This addon was made to make users aware of those hidden, never expiring objects and to offer an easy way to get rid of them - since browsers are unable to do that for you.

Protecting your privacy - How to deactivate geolocation tracking in Firefox and Opera browsers

The latest Opera 10.6 and Firefox 3.5 browsers come with a feature called location-aware, this feature allows websites compatible with Geode (not many at present) to learn where you are.

Google location services are used to determine your whereabouts using your computer’s IP address, nearby wireless access points and a random client identifier given to you by Google, which is meant to expire in two weeks.

The first time you go to a website that requests geolocation information, Google Location Services terms and conditions are presented, you will need to agree to them, which can easily be done inadvertently or without understanding what that means, after that, every time a website requests geolocation information your internet browser tells you, and gives you a choice: to send your location data, or not to send it.

Both browsers, Opera and Firefox come with location aware enabled by default, I don’t know about Internet Explorer because I care about internet privacy and do not use that piece of crap.

How to disable location aware in Firefox and Opera browsers

To disable location aware in Firefox, type about:config in the toolbar and change the geo.enabled value to false by double-clicking on the key.

To disable geolocation tracking in Opera go to Settings > Preferences > Advanced > Network, and uncheck Enable geolocation.

Test your geolocation browser awareness at: http://3liz.org/geolocation/

Learn more about geolocation tracking in Firefox and Opera

Mozilla location aware browsing FAQ: http://www.mozilla.com/en-US/firefox/geolocation/

Opera browser geolocation help page: http://help.opera.com/Windows/10.60/en/geolocation.html

Revisiting the Black Sunday Hack

One of the most interesting counter hack I have known was the one done by DirectTV. It was an epic play which caught the hacking community totally off guard.

One of the original smart cards, entitled 'H' cards for Hughes, had design flaws which were discovered by the hacking community. These flaws enabled the extremely bright hacking community to reverse engineer their design, and to create smart card writers. The writers enabled the hackers to read and write to the smart card, and allowed them to change their subscription model to receive all the channels. Since the technology of satellite television is broadcast only, meaning you cannot send information TO the satellite, the system requires a phone line to communicate with DirecTV. The hackers could re-write their smart cards and receive all the channels, and unplug their phone lines leaving no way for DirecTV to track the abuse. DirecTV had built a mechanism into their system that allowed the updating of these smart cards through the satellite stream. Every receiver was designed to 'apply' these updates when it received them to the cards. DirecTV applied updates that looked for hacked cards, and then attempted to destroy the cards by writing updates that disabled them. The hacking community replied with yet another piece of hardware, an 'unlooper,' that repaired the damage. The hacker community then designed software that trojanized the card, and removed the capability of the receivers to update the card. DirecTV could only send updates to the cards, and then require the updates be present in order to receive video. Each month or so, DirecTV would send an update. 10 or 15 minutes later, the hacking community would update the software to work around the latest fixes. This was the status quo for almost two years. 'H' cards regularly sold on eBay for over $400.00. It was apparent that DirecTV had lost this battle, relegating DirecTV to hunting down Web sites that discussed their product and using their legal team to sue and intimidate them into submission.

Four months ago, however, DirecTV began sending several updates at a time, breaking their pattern. While the hacking community was able to bypass these batches, they did not understand the reasoning behind them. Never before had DirecTV sent 4 and 5 updates at a time, yet alone send these batches every week. Many postulated they were simply trying to annoy the community into submission. The updates contained useless pieces of computer code that were then required to be present on the card in order to receive the transmission. The hacking community accommodated this in their software, applying these updates in their hacking software. Not until the final batch of updates were sent through the stream did the hacking community understand DirecTV. Like a final piece of a puzzle allowing the entire picture, the final updates made all the useless bits of computer code join into a dynamic program, existing on the card itself. This dynamic program changed the entire way the older technology worked. In a masterful, planned, and orchestrated manner, DirecTV had updated the old and ailing technology. The hacking community responded, but cautiously, understanding that this new ability for DirecTV to apply more advanced logic in the receiver was a dangerous new weapon. It was still possible to bypass the protections and receive the programming, but DirecTV had not pulled the trigger of this new weapon.

Last Sunday night, at 8:30 pm est, DirecTV fired their new gun. One week before the Super Bowl, DirecTV launched a series of attacks against the hackers of their product. DirecTV sent programmatic code in the stream, using their new dynamic code ally, that hunted down hacked smart cards and destroyed them. The IRC DirecTV channels overflowed with thousands of people who had lost the ability to watch their stolen TV. The hacking community by and large lost not only their ability to watch TV, but the cards themselves were likely permanently destroyed. Some estimate that in one evening, 100,000 smart cards were destroyed, removing 98% of the hacking communities' ability to steal their signal. To add a little pizzazz to the operation, DirecTV personally "signed" the anti-hacker attack. The first 8 computer bytes of all hacked cards were rewritten to read "GAME OVER".

The Hacker Manifesto (1986)

The Conscience of a Hacker, also called the Hacker Manifesto, was published in 1986. Loyd Blankenship aka The Mentor wrote it after his arrest and it got picked up by Phrack.

Another one got caught today, it’s all over the papers. “Teenager Arrested in Computer Crime Scandal”, “Hacker Arrested after Bank Tampering”...
Damn kids. They’re all alike.

But did you, in your three-piece psychology and 1950’s technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him?
I am a hacker, enter my world...
Mine is a world that begins with school... I’m smarter than most of the other kids, this crap they teach us bores me...
Damn underachiever. They’re all alike.

I’m in junior high or high school. I’ve listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. “No, Ms. Smith, I didn’t show my work. I did it in my head...”
Damn kid. Probably copied it. They’re all alike.

I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it’s because I screwed it up. Not because it doesn’t like me...
Or feels threatened by me...
Or thinks I’m a smart ass...
Or doesn’t like teaching and shouldn’t be here...
Damn kid. All he does is play games. They’re all alike.

And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict’s veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found.

“This is it... this is where I belong...”
I know everyone here... even if I’ve never met them, never talked to them, may never hear from them again... I know you all...
Damn kid. Tying up the phone line again. They’re all alike...

You bet your ass we’re all alike... we’ve been spoon-fed baby food at school when we hungered for steak... the bits of meat that you did let slip through were pre-chewed and tasteless. We’ve been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few are like drops of water in the desert.

This is our world now... the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn’t run by profiteering gluttons, and you call us criminals. We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it’s for our own good, yet we’re the criminals.

Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.

I am a hacker, and this is my manifesto. You may stop this individual, but you can’t stop us all... after all, we’re all alike.

Understanding MD5

Here is a nice link that demonstrates how MD5 works

http://nsfsecurity.pr.erau.edu/crypto/md5.html

A Basic Guide to SQL Injection attacks

This summary is not available. Please click here to view the post.

Social Engineering: Basic Concepts

1. Introduction to Social Engineering

Before I get into the World of Social Engineering, please keep in mind that this guide was made for, but not limited to, beginners. So with that in mind, let's get this show on the road! So what exactly is social engineering? I'm sure this question has been asked a million times, you're probably even asking yourself this now! To cut around the BS and throw away the leftovers, social engineering is the act of manipulating people into revealing information or tricking the slave to performing actions that are beneficial to the user. That's it! To put it in simpler terms; ever trick someone into doing something dumb, or told a lie to get someone to tell you something, or even get your friend to lie for you to get "something" out of it? That's social engineering my friends! It's that simple, and anyone can do it, even the weird kid in your class that's deaf that tries to talk, but can't, but still tries anyway! Although social engineering is relatively easy to do, and can be used anywhere at any time, the very world of it is complex, there is no "one-way" to doing things. Your options are endless, so make use of it!

2. Examples of Social Engineering

Anonymous Wrote:A True Story

One morning a few years back, a group of strangers walked into a large shipping firm and walked out with access to the firm's entire corporate network. How did they do it? By obtaining small amounts of access, bit by bit, from a number of different employees in that firm. First, they did research about the company for two days before even attempting to set foot on the premises. For example, they learned key employees' names by calling HR. Next, they pretended to lose their key to the front door, and a man let them in. Then they "lost" their identity badges when entering the third floor secured area, smiled, and a friendly employee opened the door for them.

The strangers knew the CFO was out of town, so they were able to enter his office and obtain financial data off his unlocked computer. They dug through the corporate trash, finding all kinds of useful documents. They asked a janitor for a garbage pail in which to place their contents and carried all of this data out of the building in their hands. The strangers had studied the CFO's voice, so they were able to phone, pretending to be the CFO, in a rush, desperately in need of his network password. From there, they used regular technical hacking tools to gain super-user access into the system.

In this case, the strangers were network consultants performing a security audit for the CFO without any other employees' knowledge. They were never given any privileged information from the CFO but were able to obtain all the access they wanted through social engineering.

Anonymous Wrote:Retail Paging Systems

Wal-Mart store phones have clearly marked buttons for the paging system. Wal-Mart is the exception, not the rule. So how do you get on the paging system to have a little fun when you're bored out of your mind shopping with your girlfriend? Social engineering, my whipped friend. Find a phone and dial an extension, preferably the store op. The key here is to become a harried employee, saying something similar to..."This is Bill in shoes. What's the paging extension?" More often than not, you'll get the extension without another word. Now, get some by saying something sweet over the intercom.

Anonymous Wrote:Hotels

Hotels hold such promise. Some hotels have voice mail for each room, guests receiving a PIN when they check in. Hotels also have "guest" phones; phones outside of rooms that connect only to rooms or the front desk. Pick up a guest phone, make like a friendly guest and say, "I forgot my PIN. Could I get it again? Room XXX." Knowing the registered name of the target room helps, for the Hotel and Restaurant Management Degree Program graduate may ask for it.

Proper Engineering is Social Engineering

3. Methods of Social Engineering

Courtesy of Wikipedia
Some Methods of Social Engineering:

* Phishing - is a technique often used to obtain private information. Typically, the user sends an e-mail that appears to come from a legitimate business requesting "verification" of information and warning of some consequence if it is not provided. The e-mail usually contains a link to a web page that seems legit and has a form requesting everything from a home address to an ATM card's PIN.

* IVR or phone phishing - also known as "vishing"; this technique uses an Interactive Voice Response (IVR) system to recreate a legit sounding copy of a bank or other institution's IVR system. The slave is prompted to call in to the "bank" via a phone number provided in order to "verify" information.

* Baiting - Baiting is like the real-world Trojan Horse that uses physical media and relies on the curiosity or greed of the slave. In this attack, the attacker leaves a malware infected floppy disc, CD ROM, or USB flash drive in a location sure to be found, gives it a legitimate looking and curiosity-piquing label, and simply waits for the slave to use the device.

* Quid pro quo - An attacker calls random numbers at a company claiming to be calling back from technical support. Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will "help" solve the problem and in the process have the user type commands that give the attacker access or launch malware.

Courtesy of Wikipedia

4. Advantage of Social Engineering

So to soak up what you've learned so far, which was, an introduction to social engineering and some examples on the very subject itself (SE). On to the very question that people want to hear and know. What can I GAIN from using social engineering? Anything! Like I said before, and not afraid to hesitate to say again, your options are endless when using social engineering! It all depends on your goal and how you approach it, is the defining factor of your outcome. Now with that said, don't go off thinking that you can take over the World in a matter of a few days, not going to happen. But what you can do is practice using social engineering, little by little, step by step; learn how to build your ground and the environment around it. So yes, think outside the box and learn to open new doors! Keep in mind that connections and relationships is everything in being a social engineer, without it, what can you build from nothing? Nothing! That's when social engineering comes in place, learn to make new friends, take the time to ask questions, and most importantly, learn your target! Like one once said, "My greatest enemy is also my best friend." You can achieve anything with the right mindset!

5. Are You a Social Engineer?

So are you a social engineer? YES! You're a social engineer even without knowing it! Believe it or not, more than 50% of people living on this Earth subconsciously don't know what they're capable of! That's a scary thought, that's a lot of potential lost! But with the right direction and approach to your goal, anything is possible! Anything. Don't let your options deteriorate due to discouragement and with the wrong mindset. The decision is yours to let it happen or not!

6. Final Thoughts

You must feel good up to this point! I mean, not only did you catch a glimpse of the World of Social Engineering, but you can take this bit of info with you and apply it to whatever you are trying to achieve. One of the best features of social engineering is that it can't be subjugated to one subject, so it can basically be used on virtually anything! I personally recommend using social engineering to create a positive effect, rather than a negative one. Remember, don't get ahead of yourself and overdo it, or else you'll end up in these happy hands.


Credits: Ul2Ban

Welcome to the underbelly of seccurity

Hi All
This blog is to disseminate information about information security through means of tutorials and articles.

Slight disclaimer: The information in this blog is for educational purposes only.

Cheers