Ajit Gaddam: TechNews and Security

I think I came across one of the best strong password generators on the Internet at Password Chart. Picking a strong password is very important. A strong and secure password should go beyond just a simple number such as passw0rd where you replace the o with a zero(0) or a special character in the end such as password!. However, when you have to go picking numbers, special characters for a strong password of more than 7 characters, it can become hard to remember such a strong password.

For using the password chart, enter any common phrase you might use or known to you. For example, I used the phrase “the ipod rocks“. Now, using this phrase, the password chart generates a chart for you. If you are online, you can enter a password you wish to convert using this chart. You can enter a simple word or words here. For example, I used the word “zune” as a password I wished to convert to generate a strong password. I end up with a strong password of “%^Ed8u63G“. Once you generate a password chart, you can also print it out and use it for generating other strong passwords without the need to access the internet.

Read the rest of this entry »

The Enigma was a rotor machine used by the German Military during WW II to encrypt messages they sent to each other. It was invented by German Engineer Arthur Scherbius in 1923. The Enigma Code Machine consisted of a plugboard, three rotors and a reflector which redirected the electrical current. Each letter entered by a keyboard was matched by an encrypted letter by closing an electrical circuit which was reconfigured after each entry.

We need to use secure passwords for our everyday computing. So how about using the Enigma Code Machine to generate secure passwords for us. Dr. Frank Spiess helps us out here with a very good flash Enigma Code Machine.

A brief example: Open the machine window, click on the “Input:” textbox and enter “c” on the keyboard. The plugboard leaves C as C while highlighting the specific wire in red. The electrical current then moves to the rightmost rotor, that is, to its letter A. A is then connected to B. The current enters the middle rotor, that connects G with R. The third (leftmost) rotor maps V to I. In the next step, the reflecor maps B to R. Then the current moves way back along the green wires through the rotors back to the plugboard, where Q leads to Q. As a result, we have the encryption of C to Q. If you now enter “c” again, you see that in this case it yields G! This is because the rightmost rotor moves one step to the left before a letter is entered.

So, click here to access the Flash Enigma Code machine built by Dr.Frank Spiess

In my example of a secure password, I enter a simple plain text of “securityblog”. This plain text is converted to a cipher text by the Enigma Code Machine resulting in a secure password of “BMGNHOIPWRNB”

Read the rest of this entry »

When I investigated further trying to pinpoint the source of the UK Lottery Scam email, I discovered this that a University server was compromised and in turn was being used to send out spam emails.

Return-Path: <claimsagent_alenfoster207@yahoo.co.uk>
Received: from mail.westmont.edu (mail.westmont.edu [64.136.190.200])
by mx.google.com with ESMTP id b2si6730331rvf.2007.08.10.20.50.01;
Fri, 10 Aug 2007 20:50:32 -0700 (PDT)
Received-SPF: neutral (google.com: 64.136.190.200 is neither permitted nor denied by domain of claimsagent_alenfoster207@yahoo.co.uk) client-ip=64.136.190.200;
Received: from localhost (ns1.westmont.edu [10.50.10.1])
by mail.westmont.edu (Postfix) with ESMTP id 2B654C278C6;
Fri, 10 Aug 2007 20:48:00 -0700 (PDT)
Received: from 81.199.63.50.rmts.satcom-systems.net
(81.199.63.50.rmts.satcom-systems.net [81.199.63.50]) by
webmail.westmont.edu (Horde MIME library) with HTTP; Fri, 10 Aug 2007
20:47:58 -0700
Message-ID: <20070810204758.hhdwcd108c8g00gw@webmail.westmont.edu>
X-Priority: 3 (Normal)
Date: Fri, 10 Aug 2007 20:47:58 -0700
From: UK NATIONAL LOTTERY <claimsagent_alenfoster207@yahoo.co.uk>
Reply-to: claimsagent_alenfoster2000@yahoo.co.uk
To: undisclosed-recipients:;
Subject: YOU WON
User-Agent: Internet Messaging Program (IMP) H3 (4.0.4-RC2)

Observations

1. Google is hosting the email of this university

2. Spammers are sending out mail from a university email server that of westmont.edu or Westmont College in California, USA to send out a UK Lottery Scam EMail

3. Does this mean we are dealing with a hacked email account of a Westmont student, a hacked email server of Westmont College or is the webmail.westmont.edu an open relay server which spammers can use to bounce email of and make it appear as if the email was coming from Westmont College.

Nearly all of the internet-connected computers that send email are controlled by spammers, according to Return Path, a company that compiles email reputation data.

Of the 20 million IP addresses that send email and are tracked by Return Path, only 0.9 per cent have earned a reputation score that will allow their emails to be delivered to Return Path clients. About 2.5 per cent encounter problems such as spam traps or having garnered too many complaints. But 96.7 per cent score so badly the sending computer is likely to be a hacked PC, the company said.

Spam makes up almost 75 per cent of all messages sent today, according to email security service Postini.

This email needs further investigation. I will follow up on this.

I just received a mail from the Associate Director of IT at Wesmont College

Read the rest of this entry »

Protecting yourself is very challenging in the hostile environment of the internet. Imagine a global environment where an unscrupulous person from the other side of the planet can probe your computer for weaknesses, and exploit them to gain access to your most sensitive secrets.

They can even use your computer to store data like stolen credit-card numbers or child pornography, or to attack another innocent home user or business from your system.

Here’s Kevin Mitnick’s Top 10 list of steps you should take to protect your information and your computing resources from the bad boys and girls of cyberspace.

#1. Back up everything! You are not invulnerable. Catastrophic data loss can happen to you — one worm or Trojan is all it takes.

#2. Choose passwords that are reasonably hard to guess — don’t just append a few numbers to a no-brainer. Always change default passwords.

#3. Use an antivirus product like AVG or Norton, and set it to update daily.

#4. Update your OS religiously and be vigilant in applying all security patches released by the software manufacturer.

Read the rest of this entry »

Working in Computer Security, one of the biggest threats we face today is the threat of an Insider, an Employee who might casually walk in with his 4 GB USB Flash drive, plug it in to their computer within the corporate network and walk away with valuable data. I have seen solutions ranging from expensive Intrusion Prevention Systems to disabling access to the USB drive all together.

In the first scenario, a company might not have enough financial resources for such an expensive IPS solution. The second scenario is impossible to implement in a corporation, think about the external USB keyboards, mouse or a LCD screen.

Prevent a user from writing to a USB drive

In this scenario, let us think that a corporation has migrated to Windows Vista from Windows XP. It does not wish to use an expensive solution but at the same time lock down users from having access to the WRITE capability with regard to a USB device.

1. Open Notepad and copy the following

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“EncryptionContextMenu”=dword:00000001

2. Save the file as USBNoWrite_Vista.reg

Read the rest of this entry »

Spam comes in a variety of forms, including fraudulent messages. This mass-messaging is called ’spoofing’ or ‘password phishing.’

Such fraudulent practices involve messages that appear to be from a legitimate source, or the creation of an official-looking webpage that asks you to provide your username and password or other personal information. Such messages or pages could ask for your Social Security number, bank account number, PIN number, credit card number, mother’s maiden name, or birthday.

Spammers often ask for this information in an attempt to steal your email account, your money, your credit, or your identity.

Many email clients including Google, Yahoo and MSN provide services which identify a phishing email. Besides that, when using Internet Explorer 7 or Firefox as your browsers, they actively monitor the sites you visit and flag them if you visit a suspected phishing site. 

Most email client’s phishing alerts operate automatically, much like spam filtering. A spam filters automatically divert smessages that are suspected of being unwanted messages into ‘Spam’. Similarly, phishing alerts automatically display warnings with messages that are suspected of being phishing attacks so that users know to take care before providing any personal information as shown in the image below

You should always be wary of any message that asks for your personal information, or messages that refer you to a webpage asking for personal information.

Here’s what you can do to protect yourself and stop fraudsters:

    * Make sure the URL domain on the given page is correct, and click on any images and links to verify that you are directed to proper pages within the site. For example, the URL is http://yourbankname.com/ or, for even more security, https://yourbankname.com/. Although some links may appear to contain ‘yourbankname.com,’ you may be redirected to another site after entering such addresses into your browser.
Read the rest of this entry »

The White House released (at 9 AM Tuesday, March 20) a directive to all Federal CIOs, requiring that all new IT system acquisitions, beginning June 30, 2007, use a common secure configuration and, even more importantly, requiring information technology providers (integrators and software vendors) to certify that the products they deliver operate effectively using these secure configurations.

This initiative builds on the pioneering “comply or don’t connect” program of the US Air Force; it applies to both XP and Vista, and comes just in time to impact application developers building applications for Windows Vista, but impacts XP applications as well.  No VISTA application will be able to be sold to federal agencies if the application does not run on the secure version (SSLF) of Vista.  XP application vendors will also be required to certify that their applications run on the secure configuration of Windows XP.

The benefits of this move are enormous: common, secure configurations can help slow bot-net spreading, can radically reduce delays in patching, can stop many attacks directly, and organizations that have made the move report that it actually saves money rather than costs money.

The initiative leverages the $65 billion in federal IT spending to make systems safer for every user inside government but will quickly be adopted by organizations outside government. It makes security patching much more effective and IT user support much less expensive. It reflects heroic leadership in starting to fight back against cyber crime. Clay Johnson and Karen Evans in the White House both deserve kudos from everyone who cares about improving cyber security now.

Courtesy [SANS Flash News. SANS hasn't issued a FLASH announcement in more than two years]

There are several things you can do that can help minimize the chance of your site being flagged as suspicious. Think of these as best practices or optimal Web site design ethics.

# 1: Use secure sockets layer (SSL) certification with a current server certificate issued by a trusted certification authority if you ask users for personal information.

# 2: Make sure that your Web page doesn’t expose any cross-site scripting (XSS) vulnerabilities. Protect your site by using anti-cross-site scripting attack tools

# 3: Use the fully-qualified domain name. All domains should reverse to actual domain names, not numeric IP addresses. This means a URL should look like “microsoft.com” and not “207.46.19.30.”

# 4: Avoid using the @ symbol before the fully-qualified domain name in your URL. The @ symbol enables phishers to concoct deceptive URLs and is therefore immediately suspicious to Phishing Filter.

# 5: Don’t encode or tunnel your URLs unnecessarily. If you don’t know what this means, you probably aren’t doing it.

# 6: If you post external or third-party hosted content, make sure that the content is secure and from a known and trusted source.

# 7: When building the content on your site, don’t use invisible text, JavaScript redirects or doorway pages

Related Links:

1. What a PayPal phishing email looks like and How to detect it

2. Unauthorized access to your PayPal account

3. Spammers using TinyURL to flood comments

4. Microsoft Phishing Filter site

This email format is one of the most classic PayPal phishing emails with the subject being that there was an unauthorized access to your PayPal account and you are asked to verify your credentials.

The Images and everything else are taken directly from the valid PayPal site. To verify, hover your mouse over the PayPal logo. You would see that the header image comes from https://www.paypal.com/us

Read the rest of this entry »

This article is part # 3 in the series on Penetration Testing. The first in this series talks about Penetration testing as a profession and a general introduction. The second introduces you to some critical keywords and security tips you need to be aware of before proceeding through the rest of this series.  

When you are performing the role of a security/pen tester, sometimes just having the right tools and skills is not enough. Either they are not enough or there are easier ways to get the management to understand how easy it is for someone to walk in and walk out with the keys to their “fort”.

One of the first things I want to share with you is what my Professor of a Security Class I took while I was an Undergrad at Florida Tech shared with us. So, he was performing a penetration test at a company and he was negotiating the price for which he is willing to perform the pen test of the company’s network. Apparantly, the company was driving a hard bargain. Finally, it reached an ultimatum situation and so the company asks… “why should we pay you so many X dollars more? Are you that Good?” or something on those lines. So my professor excuses himself from the meeting room on the pretext of using the rest room. He walks around the floor on which the meeting was set up. Here is what he finds. He finds passwords on Employees monitors, including in front of an employee who had an “Emergency Response Team” sign sitting outside his cube. As he is walking past he sees the Project Manager’s laptop bag with disks and flash drives in it, sitting outside near the receptionist or an employee’s desk. He just informs the lady that he was told to bring the bag inside, takes out the flash drive. He logs into one of the terminals, grabs some credentials stored on the flash drive, makes printouts of some confidential documents and brings it back to the meeting room, all within a time frame of around 5-10 minutes. No one asked any questions. My professor got the price he asked for and more and the company had an excellent pen test analysis done.

So what is the moral of this story: No matter how strong your filters are set or firewall configured. You must always take caution against the insider attack. You are only as strong as your weakest link. In this business, sometimes, we need to employ tactics such as social engineering amongst others to get our job done. In this article, I will talk about some of these tactics.

1. Using a Keylogger:  Keystroke logging (often called keylogging) is a diagnostic used in software development that captures the user’s keystrokes. It can be useful to determine sources of error in computer systems and is sometimes used to measure employee productivity on certain clerical tasks. Such systems are also highly useful for law enforcement and espionage—for instance, providing a means to obtain passwords or encryption keys and thus bypassing other security measures. A simple google search on download keyloggers gives you plenty of results. You might want to use a professional keylogger tool such as KeyKatcher or KeyGhost. While you are performing a security test on a system, keyloggers can be a helpful tool. However, please make sure that you have permission from the company to do something like this.

2. The ability to pick locks: Okay, this is one skill I don’t have too but if you are performing the role of a pen tester, remember that if something was stolen or picked from the company, it rather be you than some attacker. When performing a test, know the kinds of locks used by the company to secure its prime assets such as server rooms etc. While most companies these days are using card access, you might be in luck if they are using the traditional lock. An excellent paper highlighting the need for physical security is the “MIT Guide to Lock Picking” by an author who calls himself Ted the Tool. If you are going in this direction, contact your nearest law enforcement agency, fill out the necessary forms and get certified. The ability to pick the lock of a server room could be a valuable asset while performing a security test at a company. Again, please make sure you have permission from the company to do something like this.

Related Articles:

1. Introduction to Ethical Hacking and Penetration Testing

2. Important Computer Security Definitions and Terminologies