web-archive-net.com » NET » S » SHORTINFOSEC.NET

Total: 241

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".
  • Information Security Short Takes: 5 Ways to fail a Social Engineering Pen-Test
    GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities 5 Ways to fail a Social Engineering Pen Test A lot of penetration testing assignments include the famed Social Engineering test When reading about it or looking the social engineering scams on a TV series it looks very straightforward you come in all nice and smooth talking and every door opens for you The harsh reality is that a lot of social engineering penetration tests fail which adds up to increased costs and a failed engagement for the consultant In the extreme situation you may spend some hours in the offices of corporate security or even the police until the pen test authorizations are verified Here are the most common ways to fail a Social Engineering Penetration Test Come unprepared Just walking into a company and asking for confidential documents sounds stupid But trying to perform a social engineering attack on your first visit is even more stupid Until you do proper amount of recon and research you have no idea what the company relationships are who is in charge of what and what exceptions or processes may be used to succeed in a social engineering attack Just Wing It Wake up call you are not Frank Abagnale from Catch Me if You Can and you are not Danny Blue from the TV series Hustle During a social engineering attack you need to think on your feet and being creative always counts But not preparing a background story supported by a nice set of evidence

    Original URL path: http://www.shortinfosec.net/2009/12/5-ways-to-fail-social-engineering-pen.html (2016-04-27)
    Open archived version from archive

  • Information Security Short Takes: Microsoft Patch Disclosure - November 2010
    Also includes excellent forum Freeware Strategy Games and Multiplayer Shooters Warify A simple DNS information gathering tool Backtrack An Excellent Penetration Testing Suite Security for idiots and others that care blogarama the blog directory Hardware and Software Tutorials that Count Blog Archive 2014 1 January 1 2013 2 November 1 October 1 2012 8 July 1 June 1 March 1 February 1 January 4 2011 16 December 1 September 1 August 2 July 1 June 6 May 3 March 1 January 1 2010 47 December 2 November 7 October 8 September 6 June 1 May 1 April 2 March 13 February 1 January 6 2009 70 December 13 November 17 October 4 July 1 June 2 April 6 March 8 February 9 January 10 2008 130 December 5 November 4 October 3 September 2 August 20 July 27 June 25 May 15 April 18 March 1 February 4 January 6 Alexa Rank Follow me on Twitter Recent Posts Maintaining quality in outsourcing telco services Engaging a team for a security analysis Hacking Virtual Machines Part 1 Sniffing Mac Antivirus Staying careful and safer Steganography Passing through the defenses Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities

    Original URL path: http://www.shortinfosec.net/2010/11/microsoft-patch-disclosure-november.html (2016-04-27)
    Open archived version from archive

  • Information Security Short Takes: Preventing XSS with Content Security Policy
    How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Preventing XSS with Content Security Policy An individual XSS can be easily remediated with contextual output encoding per the OWASP XSS Prevention Cheat Sheet Although an individual XSS can easily be addressed the overall cat and mouse game of effectively ridding an application of XSS can be very difficult To combat this problem a new security feature Content Security Policy has been introduced into the Mozilla Firefox browser Content Security Policy CSP is an opt in white list approach for defining what external scripts sources are allowed to execute JavaScript or other content loading code e g iframes within the page By eliminating inline scripts and defining a white list of allowed external scripts it is possible to strictly control what JavaScript is executed within the page In the event that a user injected script into the page via an improperly encoded piece of user controlled data then Content Security Policy would identify that the JavaScript is not part of the white listed data and the browser will disregard this unauthorized script Here s a basic overview of the CSP process Externalize all JavaScript within the pages e g no inline script tag no inline JavaScript for onclick or other handling events Define the policy for your site and whitelist the allowed domains where the externalized JavaScript is located Add the X Content Security Policy response header to instruct the browser that CSP is in use Violation Reporting The violation reporting component is another huge benefit of

    Original URL path: http://www.shortinfosec.net/2010/11/preventing-xss-with-content-security.html (2016-04-27)
    Open archived version from archive

  • Information Security Short Takes: Critical Zero Day Exploit in Adobe Acrobat and Flash
    safer Steganography Passing through the defenses Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Critical Zero Day Exploit in Adobe Acrobat and Flash Adobe has released a Critical Advisory on Flash Player and Adobe Acrobat Here is an extract from the Adobe Advisory A critical vulnerability exists in Adobe Flash Player 10 1 85 3 and earlier versions for Windows Macintosh Linux and Solaris operating systems Adobe Flash Player 10 1 95 2 and earlier versions for Android and the authplay dll component that ships with Adobe Reader 9 4 and earlier 9 x versions for Windows Macintosh and UNIX operating systems and Adobe Acrobat 9 4 and earlier 9 x versions for Windows and Macintosh operating systems This vulnerability CVE 2010 3654 could cause a crash and potentially allow an attacker to take control of the affected system There are reports that this vulnerability is being actively exploited in the wild against Adobe Reader and Acrobat 9 x Adobe is not currently aware of attacks targeting Adobe Flash Player The really scary thing is that this vulnerability is already exploited in the wild Adobe plans to release updates for the affected systems in the next

    Original URL path: http://www.shortinfosec.net/2010/10/critical-zero-day-exploit-in-adobe.html (2016-04-27)
    Open archived version from archive

  • Information Security Short Takes: Top 5 Ridiculous Hacking Scenes in Movies
    competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Top 5 Ridiculous Hacking Scenes in Movies Like any technology fed phenomenon with increasing public exposure hacking is often ill conceived and exaggerated in movie scenes The following are five of the most implausible and amusing scenes that have resulted from this approach to hacker depiction in movies Mission Impossible Ving Rhames plays expert computer hacker Luther Stickell in the Mission Impossible movies One of the most ridiculous scenes in this series comes in the first film where Ethan Hunt Tom Cruise hangs upside down from the ceiling and hacks into the CIA s system by executing Luther s directions given to him via earpiece It s also just a little too simple when Luther hacks into the CIA Headquarters computer controlled electrical system to trigger the fire alarm on a specific floor As it turns out all you have to do is type ACTIVATE ALARM and you can manipulate the CIA s emergency alert system according to your every whim Oh and you can do all of this while sitting in a fire truck outside the building WarGames What we can learn from this movie is that all backdoor passwords can be easily guessed if there s an immediate family member who s tragically died Stephen Falken an artificial intelligence researcher has created a backdoor with password Joshua the name of Falken s dead son which is hacked by a high school student and used to infiltrate the system of War Operation Plan Response WOPR And the rest is history you never know whether you re playing a game or destroying a country Jurassic Park Lex is just proof that any middle school girl should know Unix And that it s not operated by command line but by graphics Sure We can make these well informed assumptions by watching the Jurassic Park scene in which a velociraptor tries to get into the building and eat everyone but Lex decides that she can hack the security system and lock the doors This is irrelevant since velociraptors can break glass but let s just go with it Lex takes one look at a graphical interface and announces Hey it s a Unix system I know this She runs a program called 3D File System Navigator and saves the day at least for the next few seconds Independence Day Obviously there s more dubious material in this movie than the hacking scene But it s still pretty laughable Even if you accept the premise that aliens have power source technology that s been impossible for humans to replicate the hacker is

    Original URL path: http://www.shortinfosec.net/2010/10/top-5-ridiculous-hacking-scenes-in.html (2016-04-27)
    Open archived version from archive

  • Information Security Short Takes: Contingency Planning Conference 2010
    idiots and others that care blogarama the blog directory Hardware and Software Tutorials that Count Blog Archive 2014 1 January 1 2013 2 November 1 October 1 2012 8 July 1 June 1 March 1 February 1 January 4 2011 16 December 1 September 1 August 2 July 1 June 6 May 3 March 1 January 1 2010 47 December 2 November 7 October 8 September 6 June 1 May 1 April 2 March 13 February 1 January 6 2009 70 December 13 November 17 October 4 July 1 June 2 April 6 March 8 February 9 January 10 2008 130 December 5 November 4 October 3 September 2 August 20 July 27 June 25 May 15 April 18 March 1 February 4 January 6 Alexa Rank Follow me on Twitter Recent Posts Maintaining quality in outsourcing telco services Engaging a team for a security analysis Hacking Virtual Machines Part 1 Sniffing Mac Antivirus Staying careful and safer Steganography Passing through the defenses Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Contingency Planning Conference 2010 For anyone near New York City you can check out the Planning Management Conference CPM 2010 East on November 3 4

    Original URL path: http://www.shortinfosec.net/2010/10/contingency-planning-conference-2010.html (2016-04-27)
    Open archived version from archive

  • Information Security Short Takes: Hacking, Security, and Privacy Concerns on Facebook
    1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Hacking Security and Privacy Concerns on Facebook It s not hacking if users privacy settings are searchable right It depends on who you ask Current Facebook privacy settings come with a recommendation that urges users to leave their pages searchable to everyone The logic behind this is as follows If you re visible to fewer people it may prevent you from connecting with your real world friends But staying searchable has led to the harvesting and publication of information that includes names and profile URLs for over 100 million Facebook users Skull Security and Information Distribution Ron Bowes of Skull Security did some simple reconnaissance on Facebook for some hard data to use in his research on how people choose passwords Ron is working to figure out how many usernames are based on people s given names jsmith is a popular choice By proving that usernames and passwords can be easily extracted from basic information Ron hopes to teach people how to make their accounts more secure In the Facebook incident he collected only names which could be actual names or usernames and URLs of all searchable profiles about 1 5 of Facebook users then posted the information as a 3GB file that could be downloaded by anyone with Internet access Facebook spokesman Andrew Noyes has said that this information could be collected from any phone book but the URLs collected couldn t be extracted from the White Pages Finding these URLs could be a frustrating trial and error process based only on names from a phone book but thanks to Ron they re now accessible to anyone who d like a neatly packaged list of searchable Facebook users The Problem with Being Searchable Contrary to Facebook s recommendations users might consider changing their privacy settings to unsearchable Here s the minimum amount of information that can be gathered from a profile name profile picture gender and networks Facebook reserves the right to keep this information visible on every account and accessibility can only be limited through the searchable unsearchable setting So with a URL provided by Skull Security anyone can now view this information unless these accounts users make them unsearchable The problem with this is that advertisers are extremely interested in what seems like basic information because they can make surprising inferences based on the simplest data The best case scenario then is more targeted advertising The degree of potential damage depends on searchable accounts other privacy settings For example if you can be searched and you ve

    Original URL path: http://www.shortinfosec.net/2010/10/hacking-security-and-privacy-concerns.html (2016-04-27)
    Open archived version from archive

  • Information Security Short Takes: Keeping unneeded sensitive data off your computer
    training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Keeping unneeded sensitive data off your computer During everyday work our computers collect all kinds of information E mail is received browser history is recorded files are created In all this exchange a significant amount of sensitive data can be collected even without intervention of the user CC in e mails Most of this data is not of much daily use to a user and is in fact a liability It is a very good practice to check what information has the computer gathered over the course of the daily work and clean out the unnecessary sensitive data The definition First let s define sensitive data University of California defines sensitive data as Information for which access or disclosure may be assigned some degree of sensitivity and therefore for which some degree of protection or access restriction may be warranted Unauthorized access to or disclosure of information in this category could result in a serious adverse effect cause financial loss cause damage to the reputation constitute an unwarranted invasion of privacy The test Everyone s first reaction is This can t happen to me It is well known that a lot of computers get sold with huge amounts of sensitive data still on them So we performed a simple test We ran the tools on the laptop of a university assistant professor These are the results 3 of his credit card numbers were saved in the browser history 7 e mails containing lists of students social security numbers were discovered in e mails from Student Services where the user was placed in CC and only briefly read 4 files with home addresses of project team members and partners were discovered from a project that has ended 2 years ago Anyone making the check will be very unpleasantly surprised at the amount of sensitive data on their computers The tools This definition makes a great point If you don t work with it remove it To ensure that your computer is free of sensitive data you can use several tools to locate possible sensitive data Bear in mind that no tool can determine conclusively what is or is not sensitive data but automated tolls are great in sifting through gigabytes of information to locate patterns of data that resemble sensitive data We have compiled a list of 3 tools that can help you in discovering potential sensitive data on your computer The tools are ordered in alphabetical order and each is presented with it s own pros and cons Identity Finder Commercial application that can be used to find sensitive data as well as providing other functions such as protection of identified files Pro Apart from standard credit card numbers or SSN it also searches for the string password and thus can find a lot of cleartext stored passwords It is quite efficient in it s search and offers quick solutions like destruction of identified files with sensitive data or

    Original URL path: http://www.shortinfosec.net/2010/06/keeping-unneeded-sensitive-data-off.html (2016-04-27)
    Open archived version from archive