News.com has an article based on a presentation at blackhat Vegas about Google hacking. Google can be used to identify vulnerable servers, find exposed password files and anything else you might be looking for. Thanks to the Google cache, you might have access to things that are no longer even on the site.
Security Focus ran an article on this back in April that is a bit more technical than the news.com article.
GoogleDorks is my favorite site for this sort of thing. It a collection of searches that people more imaginative than me have used to find vulnerable servers.
Google is the hackers first step in network reconnaissance. Be aware of what you are making available.
Archive for July 2004
Google Hacks
Symantec Platinum
Symantec Platinum support is an outrageous expense. On a recent renewal we found that the software cost $20k and platinum support was around $12k. What do you get for this 50% premium?
- Tech support agents who actually know something about the product and have reasonable access engineers to actually get problems solved.
- Reduced wait times on hold.
- The ability to access the current build of the product.
- 24/7 support instead of 12/5
- A special knowledge base.
- Customized Email, pager, and telephone alerts for virus notification.
- The brochure says something about special akamai live update servers. I wasn’t aware of that was only for platinum people.
- Online Support Ticketing
It seems to me that just purchasing the product should entitle you to the best parts of that. Why have a special knowledge base for those with deep pockets. The knowledge base for platinum customers is better than the knowledgebase available to the gold tech support (either that the gold tech support doesn’t know how to use a knowledge base search).
Purchasing the product should entitle you to the latest bug fixes. They shouldn’t be held aside. If its in public release it should be available to gold customers as well as platinum.
Non-Gold customers shouldn’t have to wait on hold for 60 minutes on a routine basis.
I set up SPF
I set up SPF (aka Sender Policy Framework, aka Sender Permitted From) on my vanity domain name yesterday.
SPF is a method of publishing a list of servers used to send mail from my domain. If any message arrives from another source it should be treated with extreme suspicion or discarded. It is yet another tool used to authenticate a sending domain. The hope is that this will slow down the amount of spoofed email.
Mi2G does it again
Back in the beginning of July there was a funny parody of a mi2g vulnerability announcement posted to Full Disclosure regarding a information disclosure and possible race condition in the Wendy’s drive through menu order system. http://seclists.org/lists/fulldisclosure/2004/Jul/0311.html If you haven’t seen it, its worth a small chuckle.
Mi2g is best known for issuing bogus press releases regarding the worldwide cost of each virus and other inane methods of self-promotion. Threatening to sue those who mock them is their other pasttime.
Mi2g’s oh so serious rebuttal to the diabolical fake Wendy’s order system security bulletin was posted July 20th. http://www.mi2g.com/cgi/mi2g/press/200704.php Its a real scream!
What do your Office documents say about you?
Microsoft has released an update to the security tool to removed excess information from Office documents. Information on that is available here.
Office documentation information leakage can be embarrassing. Information that was part of a collaborative document development effort not meant for public consumption can be leaked if efforts are not taken to remove them. To be on the safe side, save to RTF or PDF when posting documents to a customer. Within a company Word is quite necessary, but I’d recommend using this tool on anything of great importance. It would be very bad to give an electronic copy of a performance review to an employee and have it contain a prior revision with a snide comment between reviewers.
I read your email
Interesting article over at zdnet . According to Forrester Consulting 44% of companies with 20,000 employees or more employees have someone paid to monitor email. There are concerns of disclosure of proprietary information, compliance with Sarbanes-Oxley, and worries of a hostile workplace lawsuit.
I’d love to see the actual report rather than this sanitized Zdnet version. Would they say any company that blocks spam and reviews the quarantine for false positives also counts as having an employee who reads the mail?
I suppose this zdnet article is supposed to spark moral outrage. Companies walk a fine line when it comes to being seen as big brother. But each of the concerns listed in this article are legitimate. Some are required by legislation. This all gets back to company policy. Be up front with what monitoring is occurring and why. The policy must be clear and enforced. It cant be a document that is stuck in a drawer.
USB Flash Drives: Useful Tool or Security Threat
I wrote the following for a company newsletter. Based on a recent discussion over at MyItForum.com I thought I’d go into the archives, sanitize references to my company and go with a retro article today.
Imagine the ability to carry up to 1 GB of data with you from home to work in a device that is no bigger than a highlighter. USB Flash drives are pocket sized portable storage devices that can be accessed via any PC with a USB port. They offer more storage than a floppy, are more portable than ZIP drives, and are easier to use than CD-RW disks.
With the ease of use and compatibility found in these drives it is easy to imagine that employees will purchase and use these devices. With that in mind, consider the following points to ensure a safe computing environment on your company network.
1. Watch out for viruses!
When you transfer files between one location and your company make certain to scan the files with an up-to-date virus scanner. (This is also true when transferring files using floppy disk, CD-Rs and ZIP/JAZZ drives.)
2. Protect your data
Most USB flash cards do not contain any protection if your flash card is stolen or lost. More expensive models can be protected by a PIN or even a thumbprint. If you have a model without any data protection, don’t store any information on there you can’t afford to lose. Client data, social security numbers, and credit card numbers should never be stored on these device.
3. Include return information
Include a text file on the flash drive with your contact information so it can be returned if it is misplaced.
USB Flash drives are very convenient. When using the latest tech gadgets, it is important to be aware of security concerns. By doing these simple steps you can safeguard your own data and that of your company.
http://labmice.techtarget.com/articles/usbflashdrives.htm
The word gullible isn’t in the dictionary
I was on a break between Masters programs and needed some structured education to make me open a book. I decided to take a class that the community college was offering in Computer Security. As part of the class we were required to give a 10 minute presentation on something related to the class.
One of my classmates got up and talked about information warfare. As an example he cited the gulf war printer virus! For those of you who don’t know in 1992 US News and World Report ran a story reporting that just before the first gulf war, the NSA intercepted printers bound for Iraq. They are supposed to have replaced the chips inside the printer with chips containing a virus. To this day, some Generals credit the Gulf War virus with knocking out Iraqi RADAR installations.
Unfortunately the Gulf War virus story was originally written as an APRIL FOOLS gag in 1992.
http://www.vmyths.com/hoax.cfm?id=123&page=3
http://www.soci.niu.edu/~crypt/other/wsj.htm
I considered making my talk about refuting the Gulf War Printer virus hoax, but discretion being the better part of valor (whatever that means) I chose not to directly refute this student. Rather I gave a talk about virus hoaxes.
I talked about how to identify virus hoaxes and ridiculed people’s credulity regarding outlandish claims that show up in the email inbox. It was a thing of beauty. A great didactic moment. At the end there was time for questions, and the gulf war printer guy asks if its true that viruses are propagated by antivirus companies to spur business. I guess some people never learn.
“The Network is the Security”
Interesting article by Jon Oltsik over at news.com. Its titled The Network is the Security. He asks: Why is network security based on scores of individual boxes with limited integration. Why is network security an overlay on the network rather than the network itself?
He argues that when a computer is turned on the network should know who they are and what they have access to. And if people are doing something they shouldn’t then security staff is alerted.
The network should perform firewall, IDS, IPS AV and content filtering. It should create a model of “normal” traffic as a baseline for anomaly detection.
Jon then goes on to review the leading vendors.
