DNS settings are typically ignored. Management of DNS settings is deferred to the Internet Service Provider (ISP).

Windows Vista IPv4 Configuration tab

Concerns:

1. Malware can replace the DNS settings with its own settings. When this happens, a client who connects to a legitimate web site (such as their bank) tells the malware DNS server who their bank is. The malware DNS server collects information about web sites the client uses. At any time, the malware DNS server can substitute a web address of their own choosing. A prompt for user ID and password would collect responses, returning an dummy “access denied” message. This leaves the bad guy with working credentials.
   Since DNS settings are typically ignored, this payload is typically ignored. Anti-virus software would not detect an “infection” since these are IP addresses, not a file. This is one of the many reasons you should not rely upon “cleaning” a system to make it trustworthy. See Can You Clean a Virus?“
   In a corporate environment, an inventory system which gathers DNS settings (such as Microsoft’s SCCM) can be used to reveal this payload. See Finding the DNS Hijacking Victims.
2. Each DNS implementation has security vulnerabilities. DNS has its own issues; search US-CERT. A DNS service must be managed. In a corporate environment, internal server names should not become known externally, so internal DNS servers are required. As a bonus DNS lookup history is an important intrusion detection mechanism, discovering if malicious sites are being accessed.

At home, you want a vendor who pays careful attention to keeping the DNS service maintained and who you trust. You are not required to use the DNS servers your ISP maintains; there are other options. Configure your clients to use more managed, more secure DNS servers.

If you are using your router to provide IP and DNS addresses, consider providing more secure DNS servers. However, you may wish to revisit how you are managing IP addresses; that would be a subject for a different post.

Your visitors can purchase the Industry awarded Comodo Internet Security Pro for just $49.00 per year!!! ($99.00 value) 25% sale on Comodo Internet Security Pro Earn $12.25 on each sale PLUS, we offer a BONUS of $100 per every 10 sales!!

http://personalfirewall.comodo.com/comodo-security-pro.html

Shared Threat Monitoring Protects Enterprise: ”

By Michael O’Connor, President of IronClad Consulting

Recently, as detailed by Anthony Freed of Information-Security-Resources.com, Larry Clinton of the Internet Security Alliance presented information to Congress regarding security and protecting privacy in cyberspace.

First of all, it is encouraging to hear that these kinds of discussions are being presented in D.C. Thanks to Larry Clinton and his team for representing these very important issues.

I agree with the feel of Larry’s suggestions — that it is not necessarily ‘compliance’ that will resolve our concerns, and that more practical means must be established.

If this is so, I would recommend ongoing monitoring as the key. And if monitoring is the key, how does this affect businesses, individuals, and personal privacy?

And what role does government play, if any? Can we balance good monitoring and security with privacy?

My laptop is monitored constantly by security software. In return for the service, I voluntarily give up some information.

However, this information is about my system and not me personally (other than standard billing info, which is public anyway, minus the credit card data).

Do you think a similar solution could be implemented business-wide, to help monitor and keep businesses free from harmful attacks?

Perhaps ‘compliance’, in such a model, would be gained by agreeing to opt in to the monitoring system.

Going along with one of Larry’s future objectives – information sharing – threats exposed in such a system could become immediately beneficial to other businesses that are hooked in.

Some companies are already attempting this strategy. The general concept is to create a sort of ‘reputation’ around the data elements of the transaction.

The more unique the data elements and the more clients use (and contribute to) the reputation, the more valuable the reputation becomes.

Reputation can be tied to elements such as an IP address (as with MaxMind), a ‘client device ID’ (CDI, as with 41st parameter, Kount, or iovation), a credit card number (as with Visa’s neural network), and so on.

Ostensibly, the most unique and valuable data element would be the client device ID.

It provides a much more concrete identification mechanism than the other, dynamic and changeable elements such as email address, shipping/billing address, name, phone number, etc.

Thus, gathering these – and especially sharing them – would provide an excellent foundation for a monitoring system.

Ideally, both government and private sectors would contribute to the system, which would provide real-time updates and warnings concerning devices that were previously known to be used in fraudulent activities.

But what of privacy concerns?

An intrinsic benefit of CDI is that it does not hold Personally Identifiable Information (PII) within it.

You’re just looking at the device – and ideally the reputation surrounding it – rather than the person or private information behind the device.

The privacy concern becomes moot.

Granted, any client looking at the transaction has private information on their end (a retailer looking at the invoice, for example), and they could easily connect the PII and CDI together for their own purposes, but the PII portion would not be shared within the overarching monitoring system.

Moving full-circle back to the role of government, were they to adopt such a monitoring system and require that businesses take part in it as a requirement for a new kind of security ‘compliance’, we might see a positive shift from the bookshelf-breaking paper-based compliance of the past.

*   *   *

Stay Informed With ISR News Alerts:

Email:

by FeedBurner

*   *   *

Follow us on Twitter

*   *   *

Michael O’Connor has been working in various operational management positions since 1994, and with online payment in particular since 2000. In 2003 he began a focused foray into fraud prevention while leading a team at Overstock.com, where they prevented millions of dollars in potential fraud losses from hitting the company’s bottom line. Michael was also fortunate enough to have served on the advisory board of the Merchant Risk Council and assisting in the training of an FBI CyberCrimes unit. Ironclad’s core objective is to make businesses safer and profitable by providing unbiased consultation in the areas of payment facilitation, compliance, risk assessment, and fraud prevention best practices. The threats are inbound. Are you Ironclad?™

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

“

(Via Information Security Resources.)

Your visitors can purchase the Industry awarded Comodo Internet Security Pro for just $39.00 per year!!! ($99.00 value) 25% sale on Comodo Internet Security Pro Earn $9.75 on each sale PLUS, we offer a BONUS of $100 per every 10 sales!!

http://personalfirewall.comodo.com/comodo-security-pro.html

I had stopped shortly in a blogger/new media training session last Friday, that focused on Eurasian bloggers and new media people. You can check their work here:

Eurasian Stories | Digital Stories from Eurasia

and videos made in the workshop:
http://eurasianstories.blip.tv/

I have met Eric who is in charge of a website called Sesawe. This site offers great tools and recommendations to circumvent web censorship. In their site:

Where sesawe matters:

CHECK OUT MORE AT Sesawe

My brief notes from Eric’s speech:

13 countries seriously censor web.

two basic ways to get around web censorship.
1) browser proxy. ktunnel, vtunnel…. but they might be blocked, too. then new sites. but cannot login to your account…
mobile sites are more accessible but not all capacities can be used…

2) a proxy client. you download and install and use. but only with your own computer. in internet cafes, you may not be allowed and download.

1- Sesawe.net uses web trust. only trusted people share particular DNS…
2- Tor. Chinese expats created some downloadable software. anonymity guaranteed. Ordinary solutions may not guarantee…
2b. “Your freedom” is downloadable.

Security.
Pirated copies are vulnerable. use original software, update your software.
*best way to convince people to buy originals*

anti piracy software is a must.
zero day exploits: before the next update, viruses attack your computer.

use FTP clients to send videos etc  from banning countries to free world (!)

hard drive encryption is a must!
gmail settings should be “sent always in https://

biggest threat that content of your hard drive can be stolen. more than what you actually correspond…

6 major IM among them:
skype and gmail are considered most secure. if you use original version of Skype… Skype in Chinese is not… mobile phone, phone is not secure at all. email partly secure. relatively secure is Skype and Gmail… (But if you save chat history… there might be more problem…) mobile phone cannot be encrypted.

Check also:

FLOSS Manuals

In an attempt to provide free documentation for free software, this wiki lets anyone read, write, remix articles or textbooks on any open source application …

IN OTHER NEWS:

Introducing Google Public DNS

When you type www.wikipedia.org into your browser’s address bar, you expect nothing less than to be taken to Wikipedia. Chances are you’re not giving much thought to the work being done in the background by the Domain Name System, or DNS.

Today, as part of our ongoing effort to make the web faster, we’re launching our own public DNS resolver called Google Public DNS, and we invite you to try it out.

Predictions for DNS 2010

This morning Google announced the laun

Google DNS

Google announced their public DNS server today. I’m using it right now. There’s been a bunch of speculation as to why Google is offering this service for free but the reason is pretty simple: they want to speed up people’s Google search results. In 2006, Google VP Marissa Mayer told the audience at the Web 2.0 conference that slowing a user’s search experience down even a fraction of a second results in fewer searches and less customer satisfaction.

ch of Google DNS. Most of the early posts I read didn’t mention that this is a great way for Google to know EVERYTHING that you do online. Back in 2007, James Thomas attempted to use the Web without ever touching a Google service. He was able to do it for a short bit but eventually gave in. In late 2007, I took a look at just how much Google knew about you. Last year I updated the post to note that Google even knows where I am.

Fashion Houses Making Room for Bloggers

“Fashion brands, increasingly aware of the power of bloggers, are making room for them in their front-row seats to try to grab consumers before they visit their stores,” according to Reuters correspondent Marie-Louise Gumuchian.

Map of Wikipedia article-density by nation:

Here’s a fascinating heat map showing the number of geotagged Wikipedia articles by country. It’s a map of the “known unknowns” — areas where there are likely to be many articles still to write.

Reports and Studies

• The Web’s Most Dangerous Search Terms

• Mapping the Mal Web

France Info interview about LeWeb09

Leading French radio France info interviewed me about this years edition and also captured it in video (in French). Thank you David Abiker and Jerome Colombain for having us on your show. We are thrilled to have France Info as media partner this year.

Iran: Fariba Pajooh, a blogger in prison

Fariba Pajooh, an Iranian blogger and journalist, has been in prison for more than 100 days. According to [fa] Ghomar Asheghaneh, an Iran based blogger, her parents do not know what to do and her father is in a bad physical condition.

Is Iranian Blogger Hossein Derakhshan a Spy?

On December 3, 2009, Newsweek online published what it called a “Web Exclusive” headlined “The Blogfather and the Spy.” Written by Christopher Dickey, Newsweek’s “Paris Bureau Chief and Middle East Regional Editor,” the post is about “Hossein Derakhshan, the liberal former Iranian blogger and progenitor of Iran’s online community.” He “is thought to be aiding the [Iranian] government’s crackdown” on Iranian political reformers,” according to Newsweek.

What do ISPs charge the law to spy on you?

Cryptome is hosting several ISPs’ pricelists and guidelines for “lawful spying” activities on behalf of law enforcement. Included is Yahoo’s price-guide (hilariously, Yahoo tried to send them a copyright takedown notice to make this go away).

Google’s DNS Resolution Service

Google Public DNS “is a free, global Domain Name System (DNS) resolution service, that you can use as an alternative to your current DNS provider,” Google announced, and says that in order to give it a try you need to configure your settings to use the IPs “8.8.8.8 and 8.8.4.4 as your DNS servers”. Supposed improvements are speedier browsing and better security.

Report: Facebook Popularity Not Fading Among Young Users

A new study being released this morning by Anderson Analytics reveals that prior reports suggesting Facebook may be losing it’s coolness factor among college students are inaccurate. Facebook was viewed as “cool” by 82 percent of males and 90 percent of females in the study. While the study does not allude to reasons for the site’s continued popularity, it does suggest that Facebook is becoming a “new mass medium”.

Security Recruiter - Daily Security Breach Report from the Web

Security breach compromises information on 1,400 District 86 grads

A security breach discovered last month at the University of Nebraska involved the names, addresses and Social Security numbers of 1,400 Hinsdale High School District 86 graduates.

The breach involved a computer in the College of Education and Human Sciences at the Lincoln campus. The university’s investigation revealed the computer had not been adequately secured, allowing unauthorized external access to the computer and its information.

Associate Dean Deb Mullen said the information about students who graduated between 2002 and 2005 was used in a study intended to analyze the practices of school districts and what could be done to improve test performance.

“The district was doing it for school improvement,” Mullen said.

The information was provided to the university by the ACT organization, with permission from District 86, according to Mullen. She said it is not uncommon for researchers to obtain student information from school districts. The difference, she said, is that these days the students are identified by randomly assigned student identification numbers.

“Back in those days Social Security numbers were used as ID numbers,” she said.

Letters were sent to all 4,000 students whose information was made accessible through the security breach. Although no one has reported the misuse of information involved in the security breach, Mullen said she has fielded many calls from former students who did not understand how the University of Nebraska had their information. She said many people involved also have accepted the university’s offer to pay for a year of LifeLock identity protection.

Also included among the 4,000 names involved in the security breach were students from Glenbard District 87 and students from schools in South Sioux City, Neb. Mullen said all of the information has been purged from the university’s records.

Representatives from District 86 could not immediately be reached for comment Friday.

Source: http://www.pioneerlocal.com/clarendonhills/news/1921349,hi-d86security-120409-s1.article

Presented by:

Wils Bell – Security Recruiter

SecurityHeadHeadhunter.com

407-365-2404

Bell (at) SecurityHeadhunter.com

Web: SecurityHeadhunter.com

LinkedIn Profile: http://www.linkedin.com/in/wilsbell

“Why work with a generalized recruiter when you could work with a specialized Security Recruiter!!”

Almost nothing gets politicians’ attention more these days than internet security issues and global warming. When thousands of emails from Brittan’s University of East Anglia’s Climate Research Unit wound up on climate-skeptic websites, you can be sure the combination made an impact. While many universities have suffered data breaches by cybercriminals, the fact that this data was released to anti-climate change sites strongly suggests the breach was politically motivated, said Andrew Storms, director of security operations at nCircle Security. “There is no doubt in my mind that the break-in was a targeted attack,” he said in a report by Top Tech News. Even if the university’s investigations find there was a criminal trespass by hackers with a political agenda, the release of the documents have put climate scientists and politicians trying to pass climate-change legislation back on their heels. An aide to Congressman Darrell Issa, a California Republican and the ranking member of the House Committee on Oversight and Government Reform, said congressional investigators are studying the hacked emails, according to a report in the Wall Street Journal. Regardless of the merits of the climate change debate, Storms said, any data breach should put organizations on alert to shore up their defenses – and employees to watch what they say in email.

Last week I shared a weird behavior of FreeBSD on sla.ckers.org about a directory listing with PHP file functions and Apache.

The following 3 PHP codes will output a garbled directory listing of the current directory:

echo file_get_contents("./");
$a=file("./");print_r($a);
readfile("./");

While those file functions should only return content of a valid file, its possible to get a directory listing under FreeBSD. So exploiting a vulnerable script like the following becomes far more easy for an attacker, because he does not have to know the names of the files he can retrieve.

download.php

<?php

$file = $_GET['file'];
echo file_get_contents("/var/www/files/".$file);

?>

#dirlist to see folders and files
download.php?file=../

#file disclosure of the found file “index.php”
download.php?file=../index.php

The directory listing only works for files in the webroot.

This behavior has been tested with the following configurations while PHP is running as root:
FreeBSD 6.4 + PHP 4.4.9 (thanks to beched)
FreeBSD 7.0 + PHP 5.2.5 + Suhosin-Patch 0.9.6.2
FreeBSD 7.0 + PHP 5.2.6 + Suhosin-Patch 0.9.6.2
FreeBSD 7.2 + PHP 5.2.10

I guess it has something to do with the weird BSD file system, but I dont know yet. At least this does not work on any other platforms like ubuntu or windows (I havent checked OpenBSD yet). If someone knows more about this strange dirlist please leave a comment =)

update:
scipio wrote a script that will format the dirlist a bit more readable.

Yesterday Paic posted a new comment about another idea for retrieving column names under MySQL. He found a clever way to get column names through MySQL error messages based on a trick I posted on my first article about MySQL table and column names. Here I used the modular operation ‘1′%’0′ in an injection after a WHERE clause, to provoke a MySQL error containing the column name used in the WHERE clause. But for now I couldnt expand this to other columns not used in the WHERE clause. Paic found a cool way with “row subqueries”. He explains the scenario pretty well, so I will just quote his comment:

I’ve recently found an interesting way of retrieving more column’s name when information_schema table is not accessible. It assume you’ve already found some table’s name.
It is using the 1%0 trick and MySQL subqueries.

I was playing around with sql subqueries when I’ve found something very interesting: “Row Subqueries”

You’d better read this in order to understand what’s next:

http://dev.mysql.com/doc/refman/5.0/en/row-subqueries.html

The hint is “The row constructor and the row returned by the subquery must contain the same number of values.”

Ok, imagine you have the table USER_TABLE. You don’t have any other informations than the table’s name.
The sql query is expecting only one row as result.

Here is our input:
‘ AND (SELECT * FROM USER_TABLE) = (1)– -

MySQL answer:
“Operand should contain 7 column(s)”

MySQL told us that the table USER_TABLE has 7 columns! That’s great!

Now we can use the UNION and 1%0 to retrieve some column’s name:

The following query shouldn’t give you any error:
‘ AND (1,2,3,4,5,6,7) = (SELECT * FROM USER_TABLE UNION SELECT 1,2,3,4,5,6,7 LIMIT 1)– -

Now let’s try with the first colum, simply add %0 to the first column in the UNION:
‘ AND (1,2,3,4,5,6,7) = (SELECT * FROM USER_TABLE UNION SELECT 1%0,2,3,4,5,6,7 LIMIT 1)– -

MySQL answer:
“Column ‘usr_u_id’ cannot be null”

We’ve got the first column name: “usr_u_id”

Then we proceed with the other columns…

Example with the 4th column:
‘ AND (1,2,3,4,5,6,7) = (SELECT * FROM USER_TABLE UNION SELECT 1,2,3,4%0,5,6,7 LIMIT 1)– -

if MySQL doesn’t reply with an error message, this is just because the column can be empty and you won’t be able to get it’s name!

So remember: this does only work if the column types have the parameter “NOT NULL” and if you know the table name. Additionally, this behavior has been fixed in MySQL 5.1.
Obviously it was a bug because the error message should only appear if you try to insert “nothing” in a column marked with “NOT NULL” instead of selecting. Btw other mathematical operations like “1/0″ or just “null” does not work, at least I couldn’t find any other. For ‘1′%’0′ you can also use mod(‘1′,’0′).

Anyway, another possibility you have when you cant access information_schema or procedure analyse(). Nice

update:
you can find some more information here.

Security feature of Internet Explorer 8 unsafe: “The cross-site scripting filter of Microsoft’s browser reportedly contains vulnerabilities that allow the very cross-site scripting attacks it is meant to prevent”

(Via The H Security.)

1.      Web Security

Personal computers are often connected to a shared network. Personal computers in large companies are connected to large corporate networks. Personal computers in small companies are connected to a small local network, and computers in private homes often share a network between family members.

Most often networks are used to share resources like printers, files and disk storage.

When you are connected to the Internet, your shared resources can be accessed by the rest of the world.

When you are connected to the Internet, an IP address is used to identify your computer.  If you don’t protect yourself, this IP address can be used to access your computer from the outside world. If you have a fixed IP address, you give Internet hackers all the time they need to search for entrances on your computer, and to store and share (with other hackers) information they find on your computer.

 They also steal your account number, personal identification number, password, or other valuable personal data.

 2.      Security measures for your website:

Here I am giving some of the common basic security measures you have to do for your website security.

 Virus Protection – Security starts at home, and by this I mean make sure you are running a first class security suite on your home pc’s and laptops. I use Mcafee, but there are others including AVG and Norton, but just make sure you use a well recommended internet security suite which if you do get infected, will help protect and fix any problems. Also download Malwarebytes and run this on a periodic basis. The latest Virus programs can now also fix infected webpages, meaning you can save hours by letting them fix the issues should your site get infected.

 Website Patches – If you are using WordPress, always make sure you are running the latest version of the main WordPress software and also upgrade your plugins when you are told to do so. WordPress updates itself with new patches and upgrades periodically and this is the same for the plugins. Many of the latest hacks are targeting WordPress, and you can help to avoid this if you run the latest version and your plugins are up to date.

I suggest you try this instead of on-line games:

‘The Norton Online Risk Calculator, unveiled within a microsite to coincide with the launch of Norton 2010, calculates your net worth on the black market by asking a few questions about your personal Internet use.

‘It takes a few minutes to answer the questions, after which you get three results: how much your online assets are worth, how much your online identity would sell for on the black market, and your risk of becoming a victim of identity theft.

‘The main point isn’t to promote software or instill fear, but to spread awareness on cybercrime, said Marian Merritt, Internet security advocate for Symantec.’ -IT World

In one of the projects, we had a requirement of preventing bot attacks without captcha. After hitting the wall on freely available solutions, I thought of staying with captcha, but in a different way.

To devise a solution, I thought that most users would not register account on the same website again at least with in a day, may be a year also. So, using this fact, the proposed solution was to display the captcha only when the user is registering again on the website. In this way, we could avoid irritating the user by showing the captcha, but if needed, we can again activate captcha for second or subsequent captcha.

The proposed solution brought an interesting challenge. How would we determine whether the request is coming from the same machine? HttpServletRequest.getRemoteAddr() gives you the client local IP. But, if you are behind NAT, you might not get different IPs for different machine.

In order to resolve the above mentioned issue, we can use X-FORWARDED-FOR, which is a HTTP header that is inserted by proxies to identify the IP address of the client. It can also be added to requests if application servers are proxied by proxy servers. In this case, the request IP address is always a local address and the client IP address must be extracted from the request. Since proxies can be chained – for example if the client’s request is already made through a proxy – the X-FORWARDED-FOR header can contain more than one IP address, separated by commas. In this case, the first one should be used.

The solution is still not full proof, because headers can be tampered easily. To rescue comes a module of Apache http server, which is mod_remoteip,
Thanks to this, request.getRemoteAddr(), request.getRemoteHost(), request.isSecure(), request.getScheme() and request.getServerPort() will expose the values transmitted by X-Forwarded-For and X-Forwarded-Proto rather than the values of the preceding proxy / load balancer.

The above mentioned Apache module works on an open source project, RemoteIpValve, and, XForwardedFilter. The RemoteIpValve and the XForwardedFilter have been integrated in the Tomcat Project. The RemoteIpValve will be available in the forthcoming Tomcat 6.0.21 version, whereas, XForwardedFilter has been renamed RemoteIpFilter and will be integrated in Tomcat 7.

Thanks to all those who worked on RemoteIpValve and RemoteIpFilter.

In-Q-Tel Invests in FireEye: “J. Nicholas Hoover writes on InformationWeek:

The independent venture arm of the U.S. intelligence community, In-Q-Tel, has invested in cybersecurity company FireEye, the company announced Wednesday.

In-Q-Tel and FireEye didn’t disclose terms of the agreement, or which intelligence agencies are particularly interested in the technology. However, in a release, they said that the investment ‘will extend FireEye’s cyber security product development and stealth malware technical capabilities to protect against cyber threats.’

The intelligence community has a clear interest in cybersecurity investment. At a conference earlier this month, deputy secretary of defense William Lynn said that more than 100 foreign intelligence agencies are actively trying to hack into federal government systems. The NSA recently announced plans to build a $1.5 billion cybersecurity data center in Utah.

California-based FireEye sells an out-of-band security appliance that monitors all inbound network traffic, employing a blend of signatures and heuristics to analyze traffic for evidence of suspicious behavior. After identifying suspicious traffic, the appliance captures and replays the traffic on virtual machines running in the appliance, which imitate real PCs. If those PCs are compromised, FireEye alerts administrators. By routing the traffic to a virtual machine, FireEye claims it is able to mitigate false positives. The virtual machines are invisible to the customer’s production network.

More here.

“

(Via Fergie’s Tech Blog.)

Gumblar is back with a vengeance: “ScanSafe reported that 29% of all Web malware blocks in October 2009 were the result of Gumblar. This series of website compromises, collectively dubbed ‘Gumblar’ takes a multi-pronged approach, insta…”

(Via Help Net Security – News.)

Mozilla’s Firefox web browser marked a milestone this past week, celebrating its fifth birthday.

No question about it, the open-source browser has been a big success, with growth that has been impressive by any measure. As of the end of July, Firefox had been downloaded more than 1 billion times.

Indeed, a mainstream site like this one here (WordPress) reports that Firefox now represents a larger share of activity than Internet Explorer — 46% versus 39% of traffic.

But now that Firefox has come of age, it’s facing some of the same “grown up” challenges that other browsers face.

In fact, application security vendor Cenzic has just released its security trends report covering the first half of 2009. Guess what? Firefox led the field of web browers in terms of reported total vulnerabilities. Here are the stats from Cenzic:

 Firefox: 44% of reported browser vulnerabilities
 Apple Safari: 35%
 Internet Explorer: 15%
 Opera: 6%

Compared to Cenzic’s report covering the second half of 2008, Firefox’s figure is up from 39%, while IE’s number is down sharply from 43%.

Welcome to reality. As Firefox has grown in importance, it’s gained more exposure to vulnerabilities. A significant portion of those vulnerabilities have come via plug-ins.

Mozilla is trying to take steps to counteract this, including launching a plug-in checker service to ensure that users are running up-to-date versions. It also offers a “bug bounty” to anyone who discovers security holes in Firebox.

And the good news is that even though Firefox had the highest number of vulnerabilities, even Cenzic admits that this doesn’t necesarily mean Firefox users are more vulnerable to security threats. Plus, those vulnerabilities tend to be patched more quickly than those found in other browsers.

So on this fifth anniversary milestone, Firefox can be justly praised as a major success story in the web browser world.

McAfee Threats Report:  Third Quarter 2009

By David Marcus, Paula Greve, Sam Masiello, and David Scharoun

McAfee Labs™

  This continues to be a fascinating year for online threats, malware of all types, and cybercrime in particular. In this quarter’s McAfee Threats Report we will discuss new findings, look at continuing trends, and unearth a few surprises.

  We continue to see rapid growth in malware. Web-based threats have reached new highs. Celebrity deaths, and news events in general, serve as lures in scams, spams, and phishing attacks. Disasters especially attract a large audience of potential victims. Fraudulent security products continue to scam unsuspecting users out of their money. Chinese pharmacy spam runs were the rage for a month or two. Google searches lead to more and more threats. We also observed some very interesting events in the world of cybercrime. One of the most surprising recent trends is the rise in pirated movie and software sites.

  Our researchers noticed 300 percent growth this quarter in websites that distribute pirated movies and software. Is this increase due to the economic downturn, or is technology at a point where it is easier to download feature-length movies on the day they become available in theaters?

How simple calculations can be a matter of life and death

The computer Binary System confuses computers. And do you know that 28 american soldiers were killed by a Scud missile because the Patriot Defense System failed in computing?

‘The failure of Google’s online calculator and Excel’s apparent inability to give correct answers to simple calculations are both well-known problems among programmers, but these aren’t really bugs in the normal sense of the word. Instead they’re just a consequence of the fact that computers suck at maths.

‘Computers perform calculations in quite a different way from the methods that humans use to do arithmetic – and that means that they habitually come up with the wrong answer. Here we investigate some of the shocking consequences of this revelation before delving into the reason why computers suck at maths…’ – By Mike Bedford
————————–
Idle computers don’t waste energy
Because energy can’t be created or destroyed
By Luis Villazon
-both pieces from Techradar

The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2008. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. We ascertain which classes of attacks are the most prevalent regardless of the methodology used to identify them. Industry statistics such as those compiled by Mitre CVE project provide valuable insight into the types of vulnerabilities discovered in open source and commercial applications, this project tries to be the equivalent for custom web applications.

Many website designers design really scrappy websites that do not follow standards at all. I myself tend to write all my XHTML to be XHTML1.1 compliant. As a reader of this blog, I will assume you also attempt to follow standards.

Usually I implement everything to pass xhtml transitional validation. One thing I usually ignore however, is the character encoding.

Put simply, character encoding allows a browser to display and render the document as originally intended. For instance, browsing a site developed using a Japanese-based encoding (e.g. JIS X 0208) will not display correctly unless you have the JIS X 0208 character set installed on your computer.

Without specifying a character encoding, a default character encoding is used. So specifying a character encoding when developing sites that use other characters is a must. But a more important reason exists even if you only develop english websites using UTF-8 or ISO 8859-1. It is a potential security vulnerability.

Essentially, when a character encoding is not specified it could allow for a potential XSS-style attack. This can be achieved by encoding the javascript code using UTF-7. When a clients webbrowser attempts to autodetect the type of encoding used, it will detect it as UTF-7, and the javascript code can then be executed.

You don’t go directly to the web site. You start by reviewing the publicly available information. You decide upon a goal.

The Passive Information Gathering whitepaper by Gunter Ollmann, Professional Services Director at Next Generation Security Software, Ltd., is good orientation. There may be useful information already leaked. It may not be reliable information, but there’s a good chance you can save yourself a lot of time without touching the web site.

Retain the information for future reference.

The Sam Spade utilities look up DNS and domain information. Frequently under revision, but one stable source is petri.co.il.

Use Maltego to learn published information scattered across the Internet. Uses nslookup, SecretSniff, Robtex

Collect and document information about the company’s Internet presence. This would include:

• Internet Service Registration – The global registration and maintenance of IP address information
• Domain Name System – Local and global registration and maintenance of host naming
• Search Engines – The specialist retrieval of distributed material relating to an organization or their employees
• Email Systems – The information contained within each email delivery process
• Naming Conventions – The way an organization encodes or categorizes the services their online hosts provide and the email address conventions (which often reflect userid conventions).
• Website Analysis – The information intentionally and unintentionally made public, that may pose a risk to security

hpHosts consolidates a lot of information about web sites. vURL can be used to review the company’s web pages through proxies.

Retain the information for future reference.

• Source sifting (website review) SamSpade Google Hacking Database
• Googlehacking, Googledorks (such as those found through PenTestIT)
• Search engines Google Google Groups AltaVista DogPile MSN
• Securities and Exchange Commission (SEC) Edgar database
• Business information sites
• News groups, USENET Searching
• What’s that site running? netcraft.com
• web-sniffer.net View HTTP Request and Response Header
• Big Brother Network and System Monitor
• WHOIS Enumeration (Find the registry, then the registrar, then the registrant)
• TechnicalInfo.net
• DNS Enumeration
  

  Forward nslookup	nslookup hostname
  Reverse nslookup	nslookup ip_address
  Zone Transfer (should not be permitted)	#nslookup >server dns_ip_address >set type=any >ls -d target_domain >exit

• Network Reconnaissance
  • Traceroute or Tracert or Looking Glass
  • Trout
  • Neotrace
  • tcptraceroute
  • 3d traceroute

  UNIX Traceroute (UDP)	traceroute hostname/ip
  UNIX Traceroute (ICMP)	traceroute -I hostname/ip
  Windows Tracert (ICMP)	tracert hostname / ip
  Windows Trout or NeoTrace (ICMP)	Trout or NeoTrace (GUI)
  UNIX tcptraceroute (TCP)	(see man page)

- Border Gateway Protocol (BGP) Queries
- About BGP:12
AS numbers are used to identify the autonomous systems that a route has already passed through, which prevents routing advertisement loops; and to determine the origin of routes. Folks often use AS-PATHs in their route selection policy to, for example, use a particular transit provider that is known to have good connectivity to AOL; or not use someone who may have poor connectivity to them.
A good way to understand things in the real world is to use Looking Glasses by ISPs. For example, go to lg.he.net or lg.level3.net and do a bgp query with another providers IP as the argument. you will see how the possible paths to the specific IP, and you will see the AS numbers (networks) it has to go thru inorder to reach that IP.
–www.arin.net (find target’s AS number)
–neptune.dti.ad.jp (query BGP via web)

1. Reconnaissance
2. Scanning & enumeration
3. Gaining Access
4. Maintaining Access
5. Clearing Tracks

What has to be the hands-down, blue ribbon winner of “most utilized penetration testing tool” is nmap, beyond a doubt. Any toolkit will use that, especially since it works almost as well on Windows now as it does on *nix. But once you go from there, the paths diverge. Some use the Metasploit framework, others go towards Nessus, others still use commercial products like eEye Retina or Core Impact. It comes down to the methodology that they follow, and whether they favor a heavier recon phase followed by highly targeted validation, or more of an exploitative approach to enumerating vulnerabilities. And then, you get into the part of the toolkit that’s highly tailored to the individual; they might like to use netcat a lot, or they might have an asynchronous port scanner that they like to use, for those times when a load balancer starts shaping traffic and slowing their scans down.

So, ultimately, it comes down to skill and personal choices for about half the toolkit. There’s something of an art to penetration testing, even with all the tools that are out there.

If you are talking open source, Nmap, Nessus and Metasploit will take you a long way.

There are literally thousands of more specialized tools, depending on what you want to pen test. Check

http://wiki.remote-exploit.org/backtrack/wiki/Category

And also consider this version of the steps for pen testing, with 10, instead of 5 steps:

http://www.dba-oracle.com/forensics/t_forensics_network_attack.htm

http://www.ivizsecurity.com/network-penetration.html

http://www.ivizsecurity.com/application-penetration.html

OSSTMM – Open Source Security Testing Methodology Manual

http://www.isecom.org/osstmm/

In order to get a brief idea of website copyright, let’s take a look at the following:

Content Copyright © All Right Reserved | weblinkindia.net

This is a copyright notice at the bottom of each web page of the website: (http://www.weblinkindia.net/)

This means, all material on the site (text, images, TITLE tag content, programming, design etc. is copyright to Weblink India.Net and its owner (owners) and is not supposed to be reproduced anywhere else without explicit written permission.

In most websites, the date in terms of year is mentioned. But it is not mandatory. In any case, the dates you would come upon in a copyright statement is no indication of expiry of the website and it becoming a public domain. The date signifies the date of creating and launching the website.

Content in the Internet is available in the public domain, but this does Not mean that, Internet is public domain. One can access a website, copy materials and sometimes download content, images, music and videos. But, in no way one should reproduce content in another website (websites) for public use. It is unlawful to be incorporated in printed texts too. Any such instance comes under the malpractice called plagiarism and is liable for legal consequences. There are relaxations in some websites where authors ask for mention of references if in anyway they need to be reproduced elsewhere. The person who uses the content from the original site should keep that in mind.

I tried Firefox Portable and found out it’s better, safer, and faster than Firefox OS installed. It’s better and safer because it informs you within seconds what’s troubling your system like an AV or anti-malware. And of course, you’re using your own private browser.