Archive for the ‘information security’ Category

« Older Entries

An Introduction to NoScript

Tuesday, April 14th, 2009

If you’ve been sleeping through the past weekend, you probably haven’t heard about “Mikeyy” and the Cross-Site Scripting worms which have been plaguing Twitter.

Saving ranting and rhetoric for a separate post, an ethical reaction to this is to attempt to educate people as to how they can protect themselves from things like this in the future.

Since I am often extolling the virtues of NoScript, and routinely suggest it as a counter measure, I figured this would be a good time to write up a tutorial on the subject (and I’ve gotten several requests for it as well).

NoScript is an add-on for the Firefox web browser, which in addition to a few others, can provide users with one of the safest (and most configurable) ways to browse the internet and determine what content is allowed to execute in your browser (and what is not). It is not a cure-all, and does not protect you from all types of web attacks by any means, but it does protect against a lot of common “drive-by” attacks that take internet users unawares, and, if properly configured, would have protected Twitter users from the Mikeyy worms.

(more…)

Posted in NoScript, Twitter, Web Security, XSS, annoyances, information security | 1 Comment »

Nmap for Conficker

Tuesday, March 31st, 2009

I tried out some of the Conficker tools mentioned earlier. Following Dan Kaminsky’s suggestion, the script is a little clunky, and it’s a LOT easier to run it using NSE (the Nmap Scripting Engine).

You are dealing with a beta build pulled from the nmap SVN, but it worked just fine doing import, make, and install on an OS X 10.5.6 box with the developer tools installed.

NSE’s output is a little wordy, so you probably want to dump output to something else to read it. Zenmap of the last production build seems to do just fine as well, though there’s really not that much it gives you in this case.

e.g.

(more…)

Posted in annoyances, information security | 7 Comments »

Conficker heads up, updates and resources

Monday, March 30th, 2009

For those of you who have not been paying a lot of attention to the network worm side of the house in the past year, one of the most sophisticated and successful Microsoft-based worms has been out in the wild for the past five months or so.

There is potentially a new twist in this story, of this worm that has taken over millions and millions of computers around the internet. Recently, the fruits of infosec professionals around the world collaborating together in a rarely seen manner have been coming to light, as they race against the worm’s April 1st refresh date.

A lot of rumor has been circulating about the April 1 deadline, and really, it won’t be the end of the world. What it potentially does mean is a new round of infections and updates, and a potential mutation or evolution in the worm code that will undo some or all of the progress made so far. The next 48 hours are a chance to make up some ground on this runaway problem.

If you are in charge of systems or networks, or even just have a few windows boxes at home that you are not sure about, take a few minutes to catch up on this story and use some of the (now) freely available tools to scan your network and try to see if you can spot this malware before it changes again, which is slated to happen on Wednesday of this week.

As always, scan (and do any other actions on your network) responsibly, and in accordance with the rules and regs that pertain to your network. If you are somewhere big, corporate, or federal, get your management involved and engaged, and mobilize to protect your resources.

note(ed): I think that between this and the response to Kaminsky’s “I broke the Internet” DNS bug last year, the information security community is starting to show a maturity and collaborative spirit that is crossing boundaries that previously impeded progress. While I don’t think that the incidents themselves are good innately, the collaboration that is springing from facing these adversities is excellent.

A good summary of “where things are at” from the Register

There are several posts and links from SANS ISC on the topic

Honeynet project’s dedicated scanning script in python

And Dan Kaminsky was nice enough to wrap it to an .exe and give his latest two cents worth

Posted in collaboration, information security | No Comments »

Synchronicity?

Thursday, March 19th, 2009

I managed to make it to the informal #novasecluncheon meetup in DC today.

A conversation topic was Rob Fuller and Rafal Losrecent run-in’s with an insecurely configured tinyurl (which was picked up by the media). Discussion also followed about the issues with a site being owned (bad enough) with the exponential implications of problems going through that site (much worse).

Once everyone gets done with lunch and back to their routine, what do we see? It appears that someone has managed to XSS Twitter successfully.

Is that timing, or what?

I’ve been meaning to save this up for another post, but now is also a great time to mention the Longurl Mobile Expander I’ve been playing around with. It’s a link expander Add-on for Firefox that allows you to preview “shortened” url’s by mousing over them before you click.

Click with care . . .

Posted in Twitter, Web Security, XSS, information security, meetups | 1 Comment »

Drupalcon in DC, now with Security!

Monday, March 9th, 2009

I was able to stop by Drupalcon the other day for a few hours. I was there scouting out the DC Convention center space for the OWASP AppSec 2009 Conference I’m helping organize this fall, and went to see how they were utilizing the space and facilities.

In a bit of fortuitous circumstance, the short time I was there coincided with the one set of security talks being given at the convention, so I dropped in to take a look.

Both talks were given by a panel of Neil Drumm, Greg Knaddison, Matt Cheney and Ezra Gildesgame. Greg has a book coming out in the near future, “Cracking Drupal.” There were two talks, an intro and advanced, dealing with Drupal security. I was pleasantly surprised, after seeing a fairly empty intro talk, to see that the “advanced” talk was jam packed.

It was interesting to see the differences and similarities in seeing a security talk given by developers as opposed to a security talk given by security folks. There were a lot of parallels to Mark and my Web App Sec 101 talks we have given, but couched in terms of Drupal.

(more…)

Posted in Drupal, Drupalcon, Web Security, conferences, information security, web people | 2 Comments »

« Older Entries