Niche Konsult Newsletter
November 2008 Edition
This email message is being sent to all individuals who have expressed interest
in Niche Konsult or Niche Konsult partner products and solutions in accordance
with Niche Konsult’s
privacy policy.
You may opt out of future mails by sending a mail to
newsletter@nichekonsult.com
with “Unsubscribe” in the Subject line.
View in Browser
Privacy Policy
Feature Story: Phishing - Why You Should Care!
What it is
Phishing scams make use of social engineering to trick consumers into revealing
personal, financial or confidential information, such as credit card numbers, account
usernames and passwords, etc.
They are usually disguised as an email from a trusted source such as a bank or respected
online retailer – that directs the recipient to a fake website - usually a flawless
reproduction of the genuine site. The bogus site requests users to confirm their
records, or maintain their account. At other times, these fake sites are sometimes,
malicious sites in disguise, where the attacker can then use exploits to install
backdoors or gain access to the victim’s computer data, for instance.
It is also known as ‘carding’ or ‘Brand Spoofing’
How it works
- Hundreds of thousands to millions of spam mails are sent daily
- When the user receives the mail, he replies to the call to action contained therein
by clicking on a link in the email
- He is then directed to a fraudulent website where he will most likely have to
logon to update his detailsSource-dependent redirection of network traffic
- Once personally identifiable data is collected
- The criminals mask under the victims identity to commit crimes or in the alternative,
the hosts file on the users PC is modified, and as a result, when he attempts to
access certain sites, his browser will appear to take him to his desired destination,
but in point of fact will actually take him elsewhere or because of inherent vulnerabilities
in the users browser, when he clicks on a link, the browser will display a legitimate
URL in the address bar but will actually load something else
Targets
Financial Service Companies Banks both foreign and local. Foreign banks that have
fallen victim include the following :Citibank, Visa, Lloyds, Paypal, Fleet, Barclays,
Wells Fargo, West Pace, Halifax, MBNA, Post Bank, First USA. Credit/debit card operators
and merchants such as Visa, Mastercard, American Express, TJX. Electronic Payment
service providers such as Interswitch and e-Tranzact
Retail Trade/E-commerce sites e.g.: eBay, Yahoo
Telecoms e.g.: Verizon
Individuals The huge number of people using the internet who do not understand the
hidden dangers of internet use. Criminals can easily copy logos and other information
from legitimate business websites and place them in
phishing emails and websites
to deceive these.
Government Entities like the Central Bank of Nigeria, as a matter of fact its equivalent
in the UK and the US have been victims in the past.
Who is behind it?
Spammers – These scams serve to
increase and hasten their distribution
Organized Criminals – These solicit, collect and sell bank account numbers, credit
card validation codes, ATM/Debit card or Credit card numbers and pins to others
who use such information to access customer accounts through online banking, set up false bill payments, transfer funds to their checking accounts or withdraw the
money through ATM machines ...
Please click here to read the rest of the article
Disclosure: Niche Konsult resells anti-phishing solutions amd provides value
added services
Database Security – Making the Case
SANS Institute is running a Database Security
Compliance Survey. We encourage you to participate.
Also click here to view port information for your database server's open
ports.
Enterprise Security – Log Collection and Analysis Infrastructure – Part 1
Events and You
An event is an action. An event log is a group or listing of such actions. All software
and hardware on your network generate copious amounts of records and alerts (simply
events). Event logs are thus a valuable tool for monitoring network security and
performance. Unfortunately though, due to their complexity and volume they are often
underutilized. A recent survey carried out by SANS Institute found that 44% of system
administrators do not keep logs more than a month. Others often do not even feel
the need to look at logs at all.
This diagram depicts the Windows Event Viewer
Fact is proper log management helps you to meet several objectives including:
- Information
system and network security,
- System health monitoring,
- Legal and regulatory compliance,
- Forensic investigations.
Detailed reasons why event log management is a must have:
- Event logs are a reference point when something goes wrong and they provide a
history of events (i.e., an audit trail of user activity) often required when you
need to carry out internal forensic investigations internally or at the instance
of a court of law
- Government regulations worldwide such as Basel II, PCI Data Standard, Sarbanes
Oxley Act, Gramm-Leach-Billy Act, HIPAA, FISMA, USA Patriot Act, Turnbull Guidance
1999, UK Data Protection Act, EU DPD, Advance Fee Fraud Act 2006 are increasingly
requiring the maintenance of vast volumes of log information in anticipation of
an audit many weeks, months or years down the road
- Event log monitoring and notification helps identify problems in advance thus
providing a proactive approach to network trouble today, rather than tomorrow
- Event log monitoring can result in real-time notification of suspicious activity
In particular, Section 11 of Nigeria’s proposed “Computer Security & Critical
Information Infrastructure Protection Bill” mandates all service providers to keep
all traffic information, subscriber information and specific content as may be specified
from time to time and to provide such information if requested by law enforcement.
Part 2 - will deal with the various types of event logs and some of the tools used
to mine the data within these logs.
Disclosure: Niche Konsult resells event log monitoring software and provides
value added services
General Security- Passwords and You: Please Pass along to your friends
Please pass this reminder to your users as the old year gives way to the new:
Passwords are like Underwear... Change yours often.
Passwords are like Underwear... Don't leave yours lying around.
Passwords are like Underwear... Don't share them with friends.
Passwords are like Underwear... Be mysterious.
Passwords are like Underwear... The longer the better.
- Courtesy ITCS, University of Michigan
General Security
- The danger of web browser "remember your password"feature
Have you ever taken advantage of the offer by your browser (either Internet Explorer
or Mozilla) to help you remember passwords?
After reading this
article and trying this
nifty utility you might have a re-think.
For more information on creating really strong passwords, try these links:
Code Assembly
Schneier
Government Security
– Personal Data of some 26.5 million Americans compromised
The names, Social Security numbers, and birthdates of veterans discharged since
1975 were lost when a laptop and a hard disk from the home of a Veterans Affairs
Department employee was burgled. Here is article from
News.com and from
SecurityFocus.
Government Security
– American government requires that contractors subscribe to and enforce a Code
of Ethics
Recently, the Nigerian government had to cancel a proposed contract award for a
multinational on the grounds of graft. It seems problems like this are not limited
to countries like Nigeria, given that the American government is set to enforce
a
code of ethics for its contractors from December 24, 2007 onwards. Here
is a copy of the
regulation
Government Security– Dutch civil servants caught hacking press agency
The Nigerian civil service is notorious for one thing - the trust that civil
servants have for other civil servants is quite high. The general consensus during
my informal discussions with quite a few of them is, if there is an enemy, it has
got to be an outsider. However, this story about the
Dutch press agency hack
reveals one thing, insiders can be a pain in the
neck! It is therefore very important that the Appointments, Promotion and Disclipine
(APD) liaise with the Planning Research and Statistics (PRS) or Information Technology
(IT) Departments as the case may be to revoke computer and network privileges before
termination of employment
by the employer or immediately after voluntary
retirement by the employee.
This story though demonstrates one thing that technology is just half the solution, given that insiders gave out their login details to others.
Government Security
– Economically motivated nation-state cyber espionage on the rise!
The
TimesOnline story captures the problem so well. The United States and Great
Britian have been complaining against China
a great deal in recent times. Here is an
American view of the problem, and that is why governments are worried when
software used
by their defence arm is developed overseas.
Govrnment Security
- Nigeria set to conduct Privacy Impact Assessment Study of National ID
Card Program
The Nigerian government through its National Identity Management
Commission is currently
requesting for consultants to indicate interest in the conduct of a Privacy Impact Assessment Study. Such consultants may visit Room 3.89, Third Floor, Phase I, Federal
Secretariat Abuja to obtain more information. This is following on the heels of the
proposed National ID program and the award of contracts for same.
The question is does Nigeria really need a Privacy Impact Assessment Study? Well,
read on. At the 3rd International Investment Roadshow of the Nigerian Stock Exchange,
the Director General boasted that the Central Security Clearing System (CSCS)
a subsidiary of the Nigerian Stock Exchange had the capacity to hold data on up
to 10 billion people. Currently, Nigeria has no privacy legislation, except for a very
brief mention in the Nigerian Constitution. Several government instititutions particularly
those dealing with graft as well as service providers in the private sector collect
and use lots of personally identifiable information, we believe that this will end
up putting Nigeria on the map of those nations with privacy legislation.
Also as far back as 2005, a member of Niche Konsult’s board made an appeal to the
government through the Consumer Protection Council for the establishment of a Privacy
Task Force and the development of a National Privacy Policy.
Here are the
documents:
Why the CPC
law should be reviewed
Privacy: A Burning Consumer Issue, Privacy Policy: A National Imperative, Wanted:
A Privacy Watchdog
CPC:
A Privacy Agenda - To be or Not to Be?
Also here are some links on National ID card programs elsewhere:
Epic
PrivacyRightsClearingHouse
Even Americans
don't like it
Instant Messaging Security
– Don't leave your PC unattended while Instant Messaging!
MessenPass is a password recovery tool that reveals the passwords of the following
instant messenger applications:
- MSN Messenger
- Windows Messenger (In Windows XP)
- Windows Live Messenger (In Windows XP And Vista)
- Yahoo Messenger (Versions 5.x
and 6.x)
- Google Talk
- ICQ Lite 4.x/5.x/2003
- AOL Instant Messenger v4.6 or below,
AIM 6.x, and AIM Pro.
- Trillian
- Miranda
- GAIM/Pidgin
MessenPass can only be used to recover the passwords for the current logged-on user on your local computer, and it only works if you chose the remember your password in one of the above programs. You cannot use this utility for grabbing the passwords of other users.
Office Security
- Microsoft Releases Office 2007 SP1
Microsoft recently released Service Pack 1 for Microsoft Office 2007. According
to Microsoft, this update includes customer requested stability and performance
improvements as well as user security enhancements. Here is the
download link and a
KnowledgeBase
article that says what has changed
Office Security -
- Block all Microsoft Access database (.mdb) files via email/Internet from
entering your network
According to Microsoft such files are "designed for the sole purpose of executing
commands,” hence the concern. While US-CERT has indicated that absolutely no user
interaction is required to launch such attacks, and has recommended that users do
not launch attachments from unknown sources as well as email server .mdb blockage.
See the related
Microsoft Knowledgebase
article, the
US-CERT Advisory and the
Microsoft Security Bulletin
Office Security -
- Tales your Electronic Documents Tell!
Earlier this year, a security commentator conducted some forensics on a powerpoint
presentation upon which she based her estimation of the United States Defence budget
for contractors. Here are the links:
First,
second and
third.
Portable Device Security
– Her Majesty's Revenue and Customs (HMRC) bans removable storage media
In the fallout to the scandal discussed above,
HMRC staff no longer have access to CDs and other portable/removable storage
media.
Here is what a notable security author/researcher had to say about
portable storage media security
Portable Device Security
– GFI EndPointSecurity 4 released
This new version ships with a number of new and improved features including advanced
access control that allows the blocking of a range of device classes, as well as
blocking file transfers by file extension, by physical port and by device ID. Administrators
can also use a device whitelist and blacklist to allow only company-approved devices
and block all others. Furthermore, temporary access can be granted to users for
a device (or group of devices) on a particular computer for a particular timeframe.
To download an evaluation,
click here and to learn more,
click
here.
GFI EndPointSecurity allows control over the following device categories:
- Floppy disks
- CD \ DVD
- Storage Devices
- Printers
- PDA Devices
- Network Adapters
- Modems
- Imaging devices
- Human Interface devices
- Other devices
GFI EndPointSecurity can also control the physical port to which devices are
connected:
- USB ports
- FireWire ports
- Serial (COM) ports
- Parallel ports
- Infrared (IrDA) ports
- Bluetooth adapters
- Wireless (WiFi)
- PCMCIA
- S-ATA
- SD
Disclosure: Niche Konsult is a GFI Value Added Reseller
Web Security
- Introducing SWFIntruder: Flash Application Security
SWFIntruder (pronounced Swiff Intruder) is the first tool specifically developed
for analyzing and testing security of Flash applications at runtime. It helps to
find flaws in Flash applications using the methodology originally described in Testing
Flash Applications [1] and in Finding Vulnerabilities in Flash Applications [2]
Some neat features:
- Basic predefined attack patterns.
- Highly customizable attacks.
- Highly customizable undefined variables.
- Semi automated Xss check.
- User configurable
internal parameters.
- Log Window for debugging and tracking.
- History of latest
5 tested SWF files.
- ActionScript Objects runtime explorer in tree view.
- Persistent
Configuration and Layout.
SWFIntruder is hosted @
OWASP and is sponsored by
Minded Security
References:
[1]http://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashApplications.ppt
[2]http://www.owasp.org/images/d/d8/OWASP-ASCAppSec2007SanJose_FindingVulnsinFlashApps.ppt
Web Security
-
Introducing Sqlmap: a blind SQL injection tool (release 0.5)
Sqlmap 0.5 is an automatic SQL injection tool entirely developed in Python. It is
capable to perform an extensive database management system back-end fingerprint,
retrieve remote DBMS databases, usernames, tables, columns, enumerate entire DBMS,
read system files and much more taking advantage of web application programming
security flaws that lead to SQL injection vulnerabilities.
Web Security
-
Symantec September "Internet Security Threat Report" - Why you should care!
Hackers have turned attention to Web application vulnerabilities. The grim statistics:
61% of all vulnerabilities disclosed in the first half of 2007 were web application
vulnerabilities. The Source: The September "Internet
Security Threat Report" from
Symantec.
Disclosure: Niche Konsult is a Symantec Value Added Reseller
Web Security
-
Introducing Nikto 2: Open Source web server scanner
Nikto 2 is finally available. Nikto is an open source (GPL) web server scanner which
performs tests against web servers for multiple items, including over 3500 potentially
dangerous files/CGIs, versions on over 900 servers, and version specific problems
on over 250 servers.
Version 2 adds a ton of enhancements, including:
- Fingerprinting
web servers via favicon.ico files;
- 404 error checking for each file type;
- Enhanced
false positive reduction via multiple methods: headers, page content, and content
hashing;
- Scan tuning to include or exclude entire classes of vulnerability checks;
- Uses LibWhisker 2, which has its own long list of enhancements;
- A "single" scan
mode that allows you to craft an HTTP request manually;
- Basic template engine so
that HTML reports can be easily customized;
- An experimental knowledge base for
scans, which will allow regenerated reports and retests (future);
- Optimizations,
bug fixes and more.
For more info visit http://www.cirt.net/code/nikto.shtml
Web Security
-
Introducing CORE GRASP for PHP
CORE GRASP is a web application protection
software solution developed by CoreLabs,
the research unit of Core Security Technologies.
GRASP protects against injection vulnerabilities and enforces privacy in web applications.
GRASP is now available as open source software, under the Apache 2.0
license, and the invitation to collaborate with the project is open. If
you would like to collaborate, please subscribe to our
mailing list.
Web Security
-
Introducing XSS-Me and SQL-Inject Me
Security Compass is proud to announce the release of the first two tools in its
Exploit Me series of application penetration testing tools for Mozilla FireFox:
XSS-Me and SQL Inject-Me. Currently in their beta release stage, these open source
(GPL v3) FireFox plug-ins search through web applications for vulnerable visible
and hidden form fields to perform input validation attacks. SecurityCompass believes that these
tools will be invaluable not only to penetration testers and QA testers, but also
to developers as a light-weight method to check for common application security
vulnerabilities during the development process. Please visit
http://www.securitycompass.com/
to download these plugins. Please send any feedback to
tools@securitycompass.com and bugs to
bugs@securitycompass.com .
Web Security - KYC or KYE?
- Banks call it KYC (Know Your Client), Now How about KYE (Know Your Enemy)
HoneyNet Whitepaper
Windows Security
- How to get around Group Policy under Windows
Here is how!
Windows Security
- Serious Vulnerability! Windows 2000 communication security flaw
The Windows random number generator,
which plays an integral part in email encryption and the Internet browser SSL encryption
protocol has been discovered to have a
security loophole.
Windows Security
- Windows XP Service Pack 3 coming
Found two really good preview, here is the
first and the
second.
New features include Network Access Protection (required for compatibility with
Windows Server 2008), Product keyless installation, new kernel mode
cryptographic module and a blackhole router detection algorithm, grab Windows XP
Serice Pack 3 Release Candidate 1 from
Microsoft here.
Windows Security
- Windows Vista/Windows XP Service Pack Blocker
As usual Microsoft has released these
blockers
Windows Security
- Web Proxy Auto-Discovery (WPAD) technology vulnerability
This vulnerability affects both Windows and Internet Explorer. Here is a
press mention and
Microsoft's advisory
Other News
-
Cisco Catalyst 3750 Series Switches now available from Niche Konsult at competitive
prices
|
WS-C3750-24FS-S
|
Catalyst 3750 24 100BaseFX + 2 SFP Standard Multilayer Image
|
|
WS-C3750-24TS-S
|
Catalyst 3750 24 10/100 + 2 SFP Standard Multilayer Image
|
|
WS-C3750-24TS-E
|
Catalyst 3750 24 10/100 + 2 SFP Enhanced Multilayer Image
|
|
WS-C3750-24PS-S
|
Catalyst 3750 24 10/100 PoE + 2 SFP Standard Image
|
|
WS-C3750-24PS-E
|
Catalyst 3750 24 10/100 PoE + 2 SFP Enhanced Image
|
|
WS-C3750-48TS-S
|
Catalyst 3750 48 10/100 + 4 SFP Standard Multilayer Image
|
|
WS-C3750-48TS-E
|
Catalyst 3750 48 10/100 + 4 SFP Enhanced Multilayer Image
|
|
WS-C3750-48PS-S
|
Catalyst 3750 48 10/100 PoE + 4 SFP Standard Image
|
|
WS-C3750-48PS-E
|
Catalyst 3750 48 10/100 PoE + 4 SFP Enhanced Image
|
|
WS-C3750G-48PS-E
|
Catalyst 3750 48 10/100/1000T PoE + 4 SFP Enhanced Image
|
|
WS-C3750G-48PS-S
|
Catalyst 3750 48 10/100/1000T PoE + 4 SFP Standard Image
|
|
WS-C3750G-48TS-E
|
Catalyst 3750 48 10/100/1000T + 4 SFP Enhanced Multilayer
|
|
WS-C3750G-48TS-S
|
Catalyst 3750 48 10/100/1000T + 4 SFP Standard Multilayer
|
|
WS-C3750G-24PS-S
|
Catalyst 3750 24 10/100/1000T PoE + 4 SFP Standard Image
|
|
WS-C3750G-24PS-E
|
Catalyst 3750 24 10/100/1000T PoE + 4 SFP Enhanced Image
|
|
WS-C3750G-24TS-E
|
Catalyst 3750 24 10/100/1000 + 4 SFP Enhcd Multilayer;1.5RU
|
|
WS-C3750G-24T-E
|
Catalyst 3750 24 10/100/1000T Enhanced Multilayer Image
|
|
WS-C3750G-24TS-S
|