Nabble - Security Basics

Re: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd?

2008-10-10T12:09:21Z

Chip:

Crack a FTP server may not be the best way to prove that.
What I did some time ago was setup a small scenario with three
machines (a "server", a client and my notebook) and start sniffing
traffic int my notebook between the server and the client. Then, I
told people to try different services and just tell them which
user/password they have used. Almost one hour of setup (creating
accounts for a bunch of people to check into SMTP/POP3, FTP, HTTP and
TELNET services), and two hours of presentation, but worth indeed.
Most people don't understand how internet works, so they are unaware
of the security implicatios of this protocols, but this presentation
was a success, mostly because everyone leaved the room with the
helpless sensation of insecurity that was the objective of the whole
thing. When you simply say "Oh, this happens every single day,
everywhere, but nobody knows about it...", you can see them opening
their eyes in panic....
Try something like that with your friend (in a smaller scale of
course, or invite a few more friends to justify your efforts and
maximize your fun), and he will surely follow your directions into
whatever you want.

2008/10/10 Chip Panarchy <forumanarchy@...>:

> Hello
>
> I was wondering if I could have some help in 'hacking'/'cracking' an FTP site.
>
> I know that FTP is a very old protocol... so I'm certain that there
> are many holes in it. Especially in one that hasn't been maintained
> for a few years.
>
> How do I crack the password on the FTP site so that I can use that to
> convince the owner of the site (a friend of mine) to switch to SFTP?
>
> I really want to know, because no matter how hard I argue with him,
> there still is no comparison to cold hard evidence. I've been trying
> to convince him for the last month, but he won't budge. Finally I got
> him to give me permission to attempt to hack his FTP site.
>
> So please tell me what method I can use to hack the FTP site.
>
> Thanks in advance,
>
> Chip Panarchy
>

--
Saludos,
Gustavo Castro Puig.
E-Mail: gcastrop@...

LPI Level-1 Certified (https://www.lpi.org/es/verify.html
LPID:LPI000042304 Verification Code: hp6re8w5qg )
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM/IT/ED dx s-:- a? C(+++)$ UL++++*$ P+ L++++(++)$ E--- W+++$ N+ o?
K- w O M V-- PS PE++(-) Y-(+) PGP+ t(++) 5+ X++ R tv+ b++(++++) DI+++
D++ G++ e++ h--- r y+++
------END GEEK CODE BLOCK------
Registered Linux User #69342

RE: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd?

2008-10-10T11:18:15Z

Hi Chip,

You don't want or need to hack his server. Honestly, you can brute
force anything given time and resources. It's just a matter of having
enough of each and some reason to make it worthwhile.

The easiest way to demonstrate the problem with FTP is to gather FTP
passwords with a network protocol sniffer like Wireshark (formerly
Ethereal). Just have him install the free packet sniffer, and show him
that every time he puts in his FTP password, anyone with access to a
server or network he routes through between his computer and his FTP
site can read his username and password in plain-text. While Wireshark
analysis can be complex, just starting a capture, finding the FTP
packets, and reading them when you know they are coming should be pretty
straight-forward. You can also have him look at a http login packet vs.
an https site packet.

Cracking the password doesn't demonstrate much. The point is that
with old protocols like FTP, you don't need to crack the password. You
can just read it in standard network traffic. SFTP or FTP over SSH
encrypts the username/password before it goes over the wire.

- Don

-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of Chip Panarchy
Sent: Friday, October 10, 2008 10:23 AM
To: security-basics@...; pen-test@...
Subject: Cracking FTP password so that I can convince people not to use
FTP, and to instead use SFTP? How do I crack the pwd?

Hello

I was wondering if I could have some help in 'hacking'/'cracking' an FTP
site.

I know that FTP is a very old protocol... so I'm certain that there
are many holes in it. Especially in one that hasn't been maintained
for a few years.

How do I crack the password on the FTP site so that I can use that to
convince the owner of the site (a friend of mine) to switch to SFTP?

I really want to know, because no matter how hard I argue with him,
there still is no comparison to cold hard evidence. I've been trying
to convince him for the last month, but he won't budge. Finally I got
him to give me permission to attempt to hack his FTP site.

So please tell me what method I can use to hack the FTP site.

Thanks in advance,

Chip Panarchy

**********************************************************************
This e-mail is intended for the use of the addressee(s) only and may contain privileged, confidential, or proprietary information of ICG Commerce. If you have received this message in error, please e-mail administrator at postmaster@..., then delete the e-mail and destroy any printed copy. ICG Commerce reserves the right to retain, archive, use and disclose any emails that are sent from or to this email address. Thank you.

www.icgcommerce.com

**********************************************************************

Re: Learn SELinux

2008-10-10T11:16:17Z

Sourceforge has a good getting started guide on selinux. Search
"selinux howto" in google and it should pop up.

On Oct 10, 2008, at 10:50 AM, Martin Spinassi
<martins.listz@...> wrote:

> Hello all.
>
> I'm trying to understand SELinux and learning how to use it. I think
> it's pretty much THE way to securize a system.
>
> Sadly, I haven't found something like a complete manual at NSA site.
> Anyway I'm reading them (not the presentations).
>
>
> Can you point me some good reading about SELinux?
> Anyone with some comments or experiences about it?
>
>
> Thanks to all!
>
>
> Martín
>

Re: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd?

2008-10-10T11:13:32Z

SFTP has nothing to do with the strength of the password. SFTP will
only encrypt the FTP session. When logging in with FTP, the username
and password is transmitted in plain text. Whereas SFTP encrypts the
username and password as it's transmitted. So you would need to be
sniffing the end users network while he logs in to his server with FTP
to get his username and password.

You could do this and have him do the same with SFTP, then show him
the results to compare and it will most likely bring things into
perspective for the EU.

On Oct 10, 2008, at 10:22 AM, "Chip Panarchy" <forumanarchy@...>
wrote:

> Hello
>
> I was wondering if I could have some help in 'hacking'/'cracking' an
> FTP site.
>
> I know that FTP is a very old protocol... so I'm certain that there
> are many holes in it. Especially in one that hasn't been maintained
> for a few years.
>
> How do I crack the password on the FTP site so that I can use that to
> convince the owner of the site (a friend of mine) to switch to SFTP?
>
> I really want to know, because no matter how hard I argue with him,
> there still is no comparison to cold hard evidence. I've been trying
> to convince him for the last month, but he won't budge. Finally I got
> him to give me permission to attempt to hack his FTP site.
>
> So please tell me what method I can use to hack the FTP site.
>
> Thanks in advance,
>
> Chip Panarchy

Re: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd?

2008-10-10T10:57:39Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chip Panarchy wrote:
> Hello
>
> I was wondering if I could have some help in 'hacking'/'cracking' an FTP site.
>

Chip,

No need to 'crack' ftp passwords... they are sent in the clear!
Basically, all you need to do is to sniff the network. Wireshark will
even format the capture to clearly show the ftp password. (If you demo
this, after sniffing an ftp password, make a connection using sftp while
sniffing the network... no password can be seen.)

If you are on a switched network, you can either wire a hub between the
switch and the router and sniff from there, or use ethercap or a similar
package to ARP spoof the default gateway, routing traffic first to you
and then to the real default gateway port.

I hope this helps!

Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjvl5MACgkQUVxQRc85QlMmwwCgjm3FT5x+lr7ySBrliuY3bpsh
jhsAoJhIjjptFxHka4V8kRNWbGIxC3GB
=ojZg
-----END PGP SIGNATURE-----

==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

Re: Hard Drive Forensics Question

2008-10-10T10:41:13Z

The use of thermite on old drives works quite well and makes for a
nice show as well...

http://hackaday.com/2008/09/16/how-to-thermite-based-hard-drive-anti-forensic-destruction/

Enjoy

On Thu, Oct 9, 2008 at 9:37 AM, Ansgar Wiechers
<bugtraq@...> wrote:

>
> On 2008-10-08 J. Oquendo wrote:
> > On Wed, 08 Oct 2008, Ansgar Wiechers wrote:
> >>> And that would do?
> >>> http://www.ontrackdatarecovery.co.uk/columbia-drive-recovery/
> >>
> >> I don't think so. How was that disk wiped?
> >
> > Wiped? That drive was recovered from the Space Shuttle that blew up.
>
> Ah, sorry, I failed to understand what you were getting at. It was late.
>
> Yes, a furnace heating the drive at least above the Curie temperature of
> the drive's platters (and keep it at that temperature for some time)
> would indeed do, AFAICS. An explosion is a very different situation,
> because the destructive effects come primarily from volume expansion
> (i.e. physical force) and to a much lesser extent from heat. Also the
> objects are exposed to the heat only for a very short period of time,
> meaning that the casing (or other physical barriers between platters and
> the center of the explosion) will shield the platters from the heat,
> thus reducing the thermal effects even more.
>
> Regards
> Ansgar Wiechers
> --
> "All vulnerabilities deserve a public fear period prior to patches
> becoming available."
> --Jason Coombs on Bugtraq

Re: Learn SELinux

2008-10-10T10:35:24Z

Hi Martin,

On Fri, Oct 10, 2008 at 8:50 AM, Martin Spinassi
<martins.listz@...> wrote:
> Can you point me some good reading about SELinux?
> Anyone with some comments or experiences about it?

Here are a few links to get you started:

Sites:
http://www.selinuxproject.org/page/Main_Page
http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml
http://ubuntu-tutorials.com/2008/03/18/how-to-install-selinux-on-ubuntu-804-hardy-heron/

Books:
http://www.onjava.com/catalog/selinux/
http://www.amazon.com/SELinux-Example-Security-Enhanced-Development/dp/0131963694

Cheers,
--scm

Shawn Merdinger
Security Researcher

Re: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd?

2008-10-10T10:23:18Z

Chip,
You are missing the point. SFTP and FTP are only different because one
uses encrypted channels to communicate and the other is clear text. That
has nothing to do with the actual security or lack there of, of the FTP
service. In fact, FTP can be very secure from a service perspective.
That said, I'd not recommend to anyone that they transfer data over FTP
if its sensitive.

The simple answer, sniff his connection and show him that his passwords
are sent clear text. Why are you on this mission?

Regards,
Adriel T. Desautels
Chief Technology Officer
Netragard, LLC.
Office : 617-934-0269
Mobile : 617-633-3821
http://www.linkedin.com/pub/1/118/a45

Join the Netragard, LLC. Linked In Group:
http://www.linkedin.com/e/gis/48683/0B98E1705142

------------------------------------------------
Netragard, LLC - "The Specialist in Anti-Hacking"

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know : http://tinyurl.com/26pjsn

Chip Panarchy wrote:

Re: Learn SELinux

2008-10-10T10:21:28Z

I find Coker page[0] about SELinux very interesting, and you always have
his SELinux Play machine.

Hope it helps.

[0] - http://www.coker.com.au/selinux/

Tiago

-
.--.
|o_o | Tiago 'gouki' Faria [ gouki@... ]
|:_/ |
// \ \ Jabber: gouki@...
(| | ) WWW: http://goukihq.org
/'\_ _/`\
\___)=(___/

On Fri, 2008-10-10 at 12:50 -0200, Martin Spinassi wrote:

signature.asc (196 bytes) Download Attachment

Re: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd?

2008-10-10T10:19:18Z

The only methods I know on cracking an FTP site, still apply to SFTP.
SFTP has several improvements, namely point-to-point encryption, but
when it comes to login, they can both be exploited the same way. Brute
force or dictionary attack.

If you want to show something to your friend, run Wireshark and capture
the password he used to login to his site. Make him use SFTP and show
him the difference. You'll be showing the biggest problem with FTP -
plain text.

Tiago

-
.--.
|o_o | Tiago 'gouki' Faria [ gouki@... ]
|:_/ |
// \ \ Jabber: gouki@...
(| | ) WWW: http://goukihq.org
/'\_ _/`\
\___)=(___/

On Sat, 2008-10-11 at 01:22 +1100, Chip Panarchy wrote:

signature.asc (196 bytes) Download Attachment

Re: IT crime investigation courses

2008-10-10T09:43:15Z

On Friday 10 Oct 2008 1:38:04 am Marc-André Laverdière wrote:
> Hi,
>
> Concordia University has forensics classes, and they'll lead a
> national training centre in forensics.

Will they provide on-line course also ?

thanks

>
> On Tue, Oct 7, 2008 at 11:14 PM, Ahmad AlOwfi <ahmad@...> wrote:
> > Hello everyone
> >
> > I would like to get Courses in IT crime investigation , anyone can help
> > me in that?
> >
> >
> > Thank you
> >
> > ...................
> > Best regards,
> > Ahmad AlOwfi
> > Project Manager
> > Network & Information Security Consultant

Learn SELinux

2008-10-10T07:50:23Z

Hello all.

I'm trying to understand SELinux and learning how to use it. I think
it's pretty much THE way to securize a system.

Sadly, I haven't found something like a complete manual at NSA site.
Anyway I'm reading them (not the presentations).

Can you point me some good reading about SELinux?
Anyone with some comments or experiences about it?

Thanks to all!

Martín

RE: Terminal services

2008-10-10T07:43:14Z

Sonicwall also has the SSL-VPN solution.
Cheap ($) and very effective (easy to manage, very quick and users like
it).

http://www.sonicwall.com/us/products/Secure_Remote_Access.html

-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of Dante Signal31
Sent: 10 octobre 2008 06:25
To: velzaf@...
Cc: security-basics@...
Subject: Re: Terminal services

2008/10/1 <velzaf@...>:
> Thanks to all of you guys for your answers, well we already thought in
a stand alone solution, vmware could be a very good > option, but the
application use a dongle in a USB memory and it is located at the server
and the proccess to synchronize > the stand alone application is very
difficult, furthermore it is a third party application, so we ruled out
that option, in the
> other hand the application is not Web at all, it coul be implemented
with some funtions but is not the interest of the >enterpriese and the
only one solution we saw is the use of Terminal Server.
>

Hi Fernando,

nowadays there is a lot of VPN-SSL platforms that offer Terminal
Servers sessions through Java Applets. So you have the security
provided by an VPN-SSL access (clients have no direct access to
Terminal Server) and the functionalities of TS sesions.

I've tested Juniper's SA and they can do what I've told you [1].
Besides Fortigate UTM firewalls have VPN-SSL capabilities with TS
support over Java Applets [2]. If you prefer open source options I've
heard about some of them but I have no direct experience with any.

References:
[1] http://www.juniper.net/products_and_services/ssl_vpn_secure_access/
[2] http://www.fortinet.com/products/

Kind regards

Dante
(http://danteslab.blogspot.com/)

Re: Flash Drive Policy

2008-10-10T07:35:33Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,

Okay, I *REALLY* hate to reply to my own posting, but...

- From the several off-list comments / questions I have received from this
posting ("I don't see any policy information on this page, did I miss
something?"), the point I was trying to make obviously got completely
lost on a bunch of folks!

So... in case you missed it, these are my points:
1) All unused USB ports should be turned off in BIOS. (And, BIOS
should be locked with an administrative password.)
2) USB devices -- especially flash drives and other storage media --
do not, in general, have a place in the workplace.
3) If you absolutely must enable the use of flash drives (or other
removable media), then:
a) They must be scanned by AV software before access is allowed.
b) Nothing on the removable media should be allowed to execute.
c) All data transferred to / from removable media must be logged.
d) Data exfiltration safeguards need to be applied separate from
the implementation of any removable media.

Where were my points buried in that page? Well, if you can plug in a
flash drive and have it steal credentials from the computer with no
other user interaction required, you clearly have a SERIOUS security
issue that could be exploited by anyone possessing a flash drive.

Need I explain more?

Jon K.

Jon Kibler wrote:
> Steven Bonici wrote:
>> I am looking for a policy on using flash drives, can someone point me to
>> one?
>
> See: http://wiki.hak5.org/wiki/USB_Switchblade
>
> This will clearly show what should be your policy.
>
> Jon K.
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjvaDUACgkQUVxQRc85QlPl9wCeMV3V5JiJl1rY3DuXUKS0NGbh
oQcAniRfba7waUPtqVpZrmHMMJs0Q/YY
=uFtB
-----END PGP SIGNATURE-----

==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd?

2008-10-10T07:22:32Z

Hello

I was wondering if I could have some help in 'hacking'/'cracking' an FTP site.

I know that FTP is a very old protocol... so I'm certain that there
are many holes in it. Especially in one that hasn't been maintained
for a few years.

How do I crack the password on the FTP site so that I can use that to
convince the owner of the site (a friend of mine) to switch to SFTP?

I really want to know, because no matter how hard I argue with him,
there still is no comparison to cold hard evidence. I've been trying
to convince him for the last month, but he won't budge. Finally I got
him to give me permission to attempt to hack his FTP site.

So please tell me what method I can use to hack the FTP site.

Thanks in advance,

Chip Panarchy

Re: Terminal services

2008-10-10T03:25:15Z

2008/10/1 <velzaf@...>:
> Thanks to all of you guys for your answers, well we already thought in a stand alone solution, vmware could be a very good > option, but the application use a dongle in a USB memory and it is located at the server and the proccess to synchronize > the stand alone application is very difficult, furthermore it is a third party application, so we ruled out that option, in the
> other hand the application is not Web at all, it coul be implemented with some funtions but is not the interest of the >enterpriese and the only one solution we saw is the use of Terminal Server.
>

Hi Fernando,

nowadays there is a lot of VPN-SSL platforms that offer Terminal
Servers sessions through Java Applets. So you have the security
provided by an VPN-SSL access (clients have no direct access to
Terminal Server) and the functionalities of TS sesions.

I've tested Juniper's SA and they can do what I've told you [1].
Besides Fortigate UTM firewalls have VPN-SSL capabilities with TS
support over Java Applets [2]. If you prefer open source options I've
heard about some of them but I have no direct experience with any.

References:
[1] http://www.juniper.net/products_and_services/ssl_vpn_secure_access/
[2] http://www.fortinet.com/products/

Kind regards

Dante
(http://danteslab.blogspot.com/)

Re: Flash Drive Policy

2008-10-10T02:33:26Z

Steven,

You would need to modify the document however I think this is close to
what you are looking for.

http://www.sans.org/resources/policies/Remote_Access.pdf

http://www.sans.org/resources/policies/Information_Sensitivity_Policy.pdf

Hope this helps.

Thanks,
Aditya Govind Mukadam

On Fri, Oct 10, 2008 at 1:09 AM, Steven Bonici <sbonici@...> wrote:

>
> I am actually looking for a document. I know there are tools out there
> and we should be using them, but I would like to start with some kind of
> written document. There are a number people that take work home (I know
> that is bad), but I haven't been here all that long and they have been
> doing this since the "floppy" days. I am concerned that people are not
> protecting themselves correctly at home (antivirus, updates, etc) and
> want to make sure they aware that they are responsible for the data on
> the drive. I have been holding security awareness presentations, but we
> need a written policy that they are going to sign.
>
> Thanks.
>
> -----Original Message-----
> From: Gleb Paharenko [mailto:gpaharenko@...]
> Sent: Thursday, October 09, 2008 3:35 PM
> To: Steven Bonici
> Cc: security-basics@...
> Subject: Re: Flash Drive Policy
>
> Hi!
>
> In case you mean - a policy - like a document - it all about your
> business needs and risks. There plenty of tools which can support your
> policy. For example devicelock or Cisco Security Agent.
>
> 2008/10/9 Steven Bonici <sbonici@...>:
>>
>>
>> I am looking for a policy on using flash drives, can someone point me
>> to one?
>>
>> Thanks - Steven
>>
>
>
>
> --
> Best regards.
> Gleb Pakharenko.
> http://gpaharenko.livejournal.com
> http://www.linkedin.com/in/gpaharenko
>

Re: Impact of Global recession on Security !

2008-10-09T21:13:49Z

I thank everyone to have read the email and have also responded.I
received few off line messages as well :-)

I sincerely apologize to the list ,if my email sounds
harsh,strange,frustrating. My only intention is to 'Understand your
view on Global recession impact on Security filed '. So, please feel
free to write what you think (and not necessarily w.r.t my views).
Since this list has people all over the world, it becomes easy to get
the views and understand the impact of global recession on different
economies if any.

Also, as a responsible person ( who asks questions to list) , i think
it is required to first portray my views and then ask people for their
individual views. People can have their own views and not necessarily
think what I think and that's the interesting part of being in the
list :-) various viewpoints !

Thanks,
Aditya Govind Mukadam

On Fri, Oct 10, 2008 at 12:37 AM, <krymson@...> wrote:

> Overall, I don't think the "global recession" will have any specific impact on information security that any other sector of a business won't already be feeling. If there is a difference, I think it will be negative.
>
> Oh, I'm not a social science or economic researcher or even involved in hiring and budget planning on an executive level. This is just me rambling from my little corner in the basement listening to the thrum of the network tubes...
>
> Security is a cost. When the belt needs to get tightened, costs are cut. And cutting security a bit more than other areas means little impact to the business. If you make widgets and your business feels budgets dwindle, if your security budget decreases, will that negatively impact how many widgets you can produce and/or sell? Not usually unless you have lawyers, regulations, or strict internal morals forcing the bumper car named "The Gamble of Insecurity" into the proper lanes.
>
> This might cause shift in security workers away from companies who have this (arguably wrong) view of security over to companies that do have it and still value it in times of recession. But otherwise, nothing much difference than today or two years ago, imo.
>
>
>> 1) Increase on vulnerabilities, risks, threats, easy availability of hacking tools, Cyber terrorism etc will demand strict countermeasures
> which cannot be ignored.These things will make sure that the security budget will stay intact.
>
> RE1) This is pretty much the way it goes for us, recession or not. Risks and vulns and threats increase in relation to our countermeasures, etc. The only issue I see with this statement may be when some other influence appears, like a new technology or a new threat or threat vector appears which causes an increase. Recession or not, a few instance of "cyber warfare" (real or perceived) could influence budgets in that direction regardless of the constricting budgets.
>
>> 2) During the recession time, companies will not want their business to be impacted due to security reasons and hamper the revenue even
> further.
>
> Do you spend more in a recession on assurances that your company will be secure or do you spend more on making your sales? Do you cut costs that might impact your ability to sell and manage accounts, or cut back on your technology costs?
>
> If anything, I see big projects being put on hold, spending stagnating, extraneous costs axed (useless software assurance agreements), raises slowing to a trickle, and less hiring in security for companies that are truly impacted.
>
>
>> 3) Need of Industry certifications will rise.
>
> I'm not sure about this. The contrarian that I am on this beautiful Thursday will counter that certifications equate to higher salaries. When higher is slowing and raises are dwindling, I would wonder if some people find themselves asking for more than some orgs can stomach for now. This won't lead to a decrease in certs at all, I just don't think it will lead to any marked increase.
>
> Likewise, certs are not cheap (time+cost), and consumer spending will also be impacted. There will be plenty of people who may put off a cost like this in order to make ends meet today.
>
>
>> 4) Companies will invest in remote access solutions like SSL VPN etc so that people can work from home than travel to office as a part of
> cost cutting.
>
> I don't think so. The gasoline cost issue is largely a consumer one (although there are plenty of industries where logistics is feeling the pressure of this cost as well). What I mean is that it is not a business need that is driving the desire to work from home to save on gas, but rather workers trying to get that benefit.
>
> After the US 9/11 event, the gov't pushed for mandates on supporting teleworkers go gov't work could continue even in a crisis. I thought this would carry over more into the private sector, but it really hasn't as much as I thought. Part of me is not really surprised.
>
> The last time you worked from home, honestly, how effective were you? I don't know about you, but I find the pull of a World of Warcraft or TF2 session to be pretty tempting. I think private sector managers understand this tendency and will only allow regular working from home when absolutely necessary. Not as a gesture of good will in a recession. Allowing workers to work from home and be less efficient/productive/useful is a cost, which is bad in a recession.
>
> From a cost and security standpoint, I find home workers to be one of the most annoying use-cases to think about. Do you let them use their own computers? Do you issue them all laptops or home systems? Do you have the bandwidth to support a third of your workforce teleworking on a Monday? If they use their own system, are you ready to block the personal/gaming/questionable sites they visit that would otherwise be blocked if they were in the office? Can you ensure they are not siphoning data off your network through their computer or a removable media device? Can you manage their system's security settings and protection software? What about your phone system extending out...etc. It's all much more cost than people think, if you want it done wholistically.
>
> BUT WAIT! DON'T STOP READING! I DO ACTUALLY THINK YOU HAVE A POINT! :)
>
> You briefly mention that conslutant groups may benefit from this, and I think you have a point! Outsourcing costly security functions may actually be a growth spurt in a recession. And not just security, but many technology functions. It is expensive to maintain the technological architecture for business these days, let alone the cost of doing it securely. And unless you're in a tech industry, those costs do nothing to improve your business bottomline. It might just make sense to out-source these functions to groups that may cost less, may have more expertise than you'd ever get internally.
>
> Is this an improvement? I'd say no, usually. I still feel you're better off spending money on the salaries for security staff.
>
> The dangerous part is when such conslutancies get too many clients and thus can't provide very good service at all. Which can you manage better as a security conslutant: 4 clients with whom you are intimate, or 25 clients you barely know and have to rely on automated alerts and uncustomized solutions?
>
>

RE: Impact of Global recession on Security !

2008-10-09T16:20:09Z

Con-slutants? Intimate with clients? I shiver to think what people are going
to have to do to get work soon...and I have stooped pretty low before ;-)

Great thought provoking post. I think there may be a spike in consolidation
projects too so consultants will be looking at a rise in projects in that
direction. Also, there's so much pushing at the whole power-saving green
thing. Cost and efficiency projects still need security.

My brother was about to head for an interview with Merril Lynch, consulting
on a project a few weeks ago-obviously that collapsed quicker than a banker
can say bailout.

Not related to Infosec but here's a link to a cartoon that explains the
whole crisis using hilarious stick figures(caveat: there is some swearing,
just in case you get into trouble at work):

http://bigpicture.typepad.com/comments/2008/02/how-subprime-re.html

>>The dangerous part is when such conslutancies get too many clients and
>>thus can't provide very good service at all. Which can you manage better
>>as a security conslutant: 4 clients with whom you are intimate, or 25
clients you barely know and have to rely on automated alerts and
uncustomized solutions?

> >-----Original Message-----
> >From: listbounce@... [mailto:listbounce@...]
> >On Behalf Of krymson@...
> >Sent: Friday, October 10, 2008 5:07 AM
> >To: security-basics@...
> >Subject: Re: Impact of Global recession on Security !
> >
> >Overall, I don't think the "global recession" will have any specific
> >impact on information security that any other sector of a business won't
> >already be feeling. If there is a difference, I think it will be
> >negative.
> >
> >
> >
> >Oh, I'm not a social science or economic researcher or even involved in
> >hiring and budget planning on an executive level. This is just me
> >rambling from my little corner in the basement listening to the thrum of
> >the network tubes...
> >
> >
> >
> >Security is a cost. When the belt needs to get tightened, costs are cut.
> >And cutting security a bit more than other areas means little impact to
> >the business. If you make widgets and your business feels budgets
> >dwindle, if your security budget decreases, will that negatively impact
> >how many widgets you can produce and/or sell? Not usually unless you have
> >lawyers, regulations, or strict internal morals forcing the bumper car
> >named "The Gamble of Insecurity" into the proper lanes.
> >
> >
> >
> >This might cause shift in security workers away from companies who have
> >this (arguably wrong) view of security over to companies that do have it
> >and still value it in times of recession. But otherwise, nothing much
> >difference than today or two years ago, imo.
> >
> >
> >
> >
> >
> >> 1) Increase on vulnerabilities, risks, threats, easy availability of
> >hacking tools, Cyber terrorism etc will demand strict countermeasures
> >
> >which cannot be ignored.These things will make sure that the security
> >budget will stay intact.
> >
> >
> >
> >RE1) This is pretty much the way it goes for us, recession or not. Risks
> >and vulns and threats increase in relation to our countermeasures, etc.
> >The only issue I see with this statement may be when some other influence
> >appears, like a new technology or a new threat or threat vector appears
> >which causes an increase. Recession or not, a few instance of "cyber
> >warfare" (real or perceived) could influence budgets in that direction
> >regardless of the constricting budgets.
> >
> >
> >
> >> 2) During the recession time, companies will not want their business to
> >be impacted due to security reasons and hamper the revenue even
> >
> >further.
> >
> >
> >
> >Do you spend more in a recession on assurances that your company will be
> >secure or do you spend more on making your sales? Do you cut costs that
> >might impact your ability to sell and manage accounts, or cut back on
> >your technology costs?
> >
> >
> >
> >If anything, I see big projects being put on hold, spending stagnating,
> >extraneous costs axed (useless software assurance agreements), raises
> >slowing to a trickle, and less hiring in security for companies that are
> >truly impacted.
> >
> >
> >
> >
> >
> >> 3) Need of Industry certifications will rise.
> >
> >
> >
> >I'm not sure about this. The contrarian that I am on this beautiful
> >Thursday will counter that certifications equate to higher salaries. When
> >higher is slowing and raises are dwindling, I would wonder if some people
> >find themselves asking for more than some orgs can stomach for now. This
> >won't lead to a decrease in certs at all, I just don't think it will lead
> >to any marked increase.
> >
> >
> >
> >Likewise, certs are not cheap (time+cost), and consumer spending will
> >also be impacted. There will be plenty of people who may put off a cost
> >like this in order to make ends meet today.
> >
> >
> >
> >
> >
> >> 4) Companies will invest in remote access solutions like SSL VPN etc so
> >that people can work from home than travel to office as a part of
> >
> >cost cutting.
> >
> >
> >
> >I don't think so. The gasoline cost issue is largely a consumer one
> >(although there are plenty of industries where logistics is feeling the
> >pressure of this cost as well). What I mean is that it is not a business
> >need that is driving the desire to work from home to save on gas, but
> >rather workers trying to get that benefit.
> >
> >
> >
> >After the US 9/11 event, the gov't pushed for mandates on supporting
> >teleworkers go gov't work could continue even in a crisis. I thought this
> >would carry over more into the private sector, but it really hasn't as
> >much as I thought. Part of me is not really surprised.
> >
> >
> >
> >The last time you worked from home, honestly, how effective were you? I
> >don't know about you, but I find the pull of a World of Warcraft or TF2
> >session to be pretty tempting. I think private sector managers understand
> >this tendency and will only allow regular working from home when
> >absolutely necessary. Not as a gesture of good will in a recession.
> >Allowing workers to work from home and be less
> >efficient/productive/useful is a cost, which is bad in a recession.
> >
> >
> >
> >From a cost and security standpoint, I find home workers to be one of the
> >most annoying use-cases to think about. Do you let them use their own
> >computers? Do you issue them all laptops or home systems? Do you have the
> >bandwidth to support a third of your workforce teleworking on a Monday?
> >If they use their own system, are you ready to block the
> >personal/gaming/questionable sites they visit that would otherwise be
> >blocked if they were in the office? Can you ensure they are not siphoning
> >data off your network through their computer or a removable media device?
> >Can you manage their system's security settings and protection software?
> >What about your phone system extending out...etc. It's all much more cost
> >than people think, if you want it done wholistically.
> >
> >
> >
> >BUT WAIT! DON'T STOP READING! I DO ACTUALLY THINK YOU HAVE A POINT! :)
> >
> >
> >
> >You briefly mention that conslutant groups may benefit from this, and I
> >think you have a point! Outsourcing costly security functions may
> >actually be a growth spurt in a recession. And not just security, but
> >many technology functions. It is expensive to maintain the technological
> >architecture for business these days, let alone the cost of doing it
> >securely. And unless you're in a tech industry, those costs do nothing to
> >improve your business bottomline. It might just make sense to out-source
> >these functions to groups that may cost less, may have more expertise
> >than you'd ever get internally.
> >
> >
> >
> >Is this an improvement? I'd say no, usually. I still feel you're better
> >off spending money on the salaries for security staff.
> >
> >
> >
> >The dangerous part is when such conslutancies get too many clients and
> >thus can't provide very good service at all. Which can you manage better
> >as a security conslutant: 4 clients with whom you are intimate, or 25
> >clients you barely know and have to rely on automated alerts and
> >uncustomized solutions?
> >

Re: Flash Drive Policy

2008-10-09T15:28:03Z

Hello,

I believe you are looking for policies, not products.

California policy on portable computer and storage devices
http://www.dof.ca.gov/budgeting/budget_letters/documents/BL05-32.pdf

The ISF standard, section UE 4, pdf download
https://www.isfsecuritystandard.com/SOGP07/index.htm

NIST SP800-53 Rev. 2, and SP800-53SA, sections AC-19
http://csrc.nist.gov/publications/PubsSPs.html

The Sedona Principles, Comment 8b
http://www.thesedonaconference.org/dltForm?did=TSC_PRINCP_2nd_ed_607.pdf

Those are the documents I had on hand. You will need to search using
the terms "portable storage" to find more since these type so policies
cover thumb drives as well as portable drives (USB or firewire)

Lee

W. Lee Schexnaider, CISSP
Sr. Engineer – Compliance Content Developer/Researcher
Symantec Corporation
www.symantec.com
-----------------------------------------------------
Houston, Texas
Email: lee_schexnaider@...

On Wed, Oct 8, 2008 at 3:53 PM, Steven Bonici <sbonici@...> wrote:
>
>
> I am looking for a policy on using flash drives, can someone point me to
> one?
>
> Thanks - Steven
>

Re: IT crime investigation courses

2008-10-09T13:08:04Z

Hi,

Concordia University has forensics classes, and they'll lead a
national training centre in forensics.

On Tue, Oct 7, 2008 at 11:14 PM, Ahmad AlOwfi <ahmad@...> wrote:

> Hello everyone
>
> I would like to get Courses in IT crime investigation , anyone can help me
> in that?
>
>
> Thank you
>
> ...................
> Best regards,
> Ahmad AlOwfi
> Project Manager
> Network & Information Security Consultant
>
>

--
Marc-André LAVERDIÈRE
"Perseverance must finish its work so that you may be mature and
complete, not lacking anything." -James 1:4
mlaverd.theunixplace.com/blog

/"\
\ / ASCII Ribbon Campaign
X against HTML e-mail
/ \

RE: Flash Drive Policy

2008-10-09T12:39:58Z

I am actually looking for a document. I know there are tools out there
and we should be using them, but I would like to start with some kind of
written document. There are a number people that take work home (I know
that is bad), but I haven't been here all that long and they have been
doing this since the "floppy" days. I am concerned that people are not
protecting themselves correctly at home (antivirus, updates, etc) and
want to make sure they aware that they are responsible for the data on
the drive. I have been holding security awareness presentations, but we
need a written policy that they are going to sign.

Thanks.

-----Original Message-----
From: Gleb Paharenko [mailto:gpaharenko@...]
Sent: Thursday, October 09, 2008 3:35 PM
To: Steven Bonici
Cc: security-basics@...
Subject: Re: Flash Drive Policy

Hi!

In case you mean - a policy - like a document - it all about your
business needs and risks. There plenty of tools which can support your
policy. For example devicelock or Cisco Security Agent.

2008/10/9 Steven Bonici <sbonici@...>:
>
>
> I am looking for a policy on using flash drives, can someone point me
> to one?
>
> Thanks - Steven
>

--
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com
http://www.linkedin.com/in/gpaharenko

Re: Flash Drive Policy

2008-10-09T12:35:03Z

Hi!

In case you mean - a policy - like a document - it all about your
business needs and risks. There plenty of tools which can support your
policy. For example devicelock or Cisco Security Agent.

2008/10/9 Steven Bonici <sbonici@...>:
>
>
> I am looking for a policy on using flash drives, can someone point me to
> one?
>
> Thanks - Steven
>

--
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com
http://www.linkedin.com/in/gpaharenko

Re: Java Enterprise Safe ??

2008-10-09T12:31:51Z

Hi!

IMHO, java projects have better security. Variable binding and no
dynamic sql significantly improves sqli strength.

2008/10/7 Mattias Hemmmingsson <mattias@...>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> God morning
>
> We are now working with java enterprise at the glassfish server.
> And a come of thinking how secure is java really ?
>
>
> If you look att OWASP home page you can find the ten most common
> security risk against java,
>
> So with XSS how mutch damiage can you do to the system ore can you
> only change the clients view ?
>
> Sql injection is it poosible to do with java enterprise ?
>
> And the big one JAS ( java auth system or somthing like that) How safe
> is it realy ?
>
>
> // matte
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFI6wZUNJQJ1TN4TrgRAi90AJwJJxGG1fdpNrJWMGShU+kEpf2GmACfaeSs
> T0OutNQWyeyb6bu4kbiVOn8=
> =ZJBA
> -----END PGP SIGNATURE-----
>
>
>

--
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com
http://www.linkedin.com/in/gpaharenko

Re: Impact of Global recession on Security !

2008-10-09T12:07:05Z

Overall, I don't think the "global recession" will have any specific impact on information security that any other sector of a business won't already be feeling. If there is a difference, I think it will be negative.

Oh, I'm not a social science or economic researcher or even involved in hiring and budget planning on an executive level. This is just me rambling from my little corner in the basement listening to the thrum of the network tubes...

Security is a cost. When the belt needs to get tightened, costs are cut. And cutting security a bit more than other areas means little impact to the business. If you make widgets and your business feels budgets dwindle, if your security budget decreases, will that negatively impact how many widgets you can produce and/or sell? Not usually unless you have lawyers, regulations, or strict internal morals forcing the bumper car named "The Gamble of Insecurity" into the proper lanes.

This might cause shift in security workers away from companies who have this (arguably wrong) view of security over to companies that do have it and still value it in times of recession. But otherwise, nothing much difference than today or two years ago, imo.

> 1) Increase on vulnerabilities, risks, threats, easy availability of hacking tools, Cyber terrorism etc will demand strict countermeasures
which cannot be ignored.These things will make sure that the security budget will stay intact.

RE1) This is pretty much the way it goes for us, recession or not. Risks and vulns and threats increase in relation to our countermeasures, etc. The only issue I see with this statement may be when some other influence appears, like a new technology or a new threat or threat vector appears which causes an increase. Recession or not, a few instance of "cyber warfare" (real or perceived) could influence budgets in that direction regardless of the constricting budgets.

> 2) During the recession time, companies will not want their business to be impacted due to security reasons and hamper the revenue even
further.

Do you spend more in a recession on assurances that your company will be secure or do you spend more on making your sales? Do you cut costs that might impact your ability to sell and manage accounts, or cut back on your technology costs?

If anything, I see big projects being put on hold, spending stagnating, extraneous costs axed (useless software assurance agreements), raises slowing to a trickle, and less hiring in security for companies that are truly impacted.

> 3) Need of Industry certifications will rise.

I'm not sure about this. The contrarian that I am on this beautiful Thursday will counter that certifications equate to higher salaries. When higher is slowing and raises are dwindling, I would wonder if some people find themselves asking for more than some orgs can stomach for now. This won't lead to a decrease in certs at all, I just don't think it will lead to any marked increase.

Likewise, certs are not cheap (time+cost), and consumer spending will also be impacted. There will be plenty of people who may put off a cost like this in order to make ends meet today.

> 4) Companies will invest in remote access solutions like SSL VPN etc so that people can work from home than travel to office as a part of
cost cutting.

I don't think so. The gasoline cost issue is largely a consumer one (although there are plenty of industries where logistics is feeling the pressure of this cost as well). What I mean is that it is not a business need that is driving the desire to work from home to save on gas, but rather workers trying to get that benefit.

After the US 9/11 event, the gov't pushed for mandates on supporting teleworkers go gov't work could continue even in a crisis. I thought this would carry over more into the private sector, but it really hasn't as much as I thought. Part of me is not really surprised.

The last time you worked from home, honestly, how effective were you? I don't know about you, but I find the pull of a World of Warcraft or TF2 session to be pretty tempting. I think private sector managers understand this tendency and will only allow regular working from home when absolutely necessary. Not as a gesture of good will in a recession. Allowing workers to work from home and be less efficient/productive/useful is a cost, which is bad in a recession.

From a cost and security standpoint, I find home workers to be one of the most annoying use-cases to think about. Do you let them use their own computers? Do you issue them all laptops or home systems? Do you have the bandwidth to support a third of your workforce teleworking on a Monday? If they use their own system, are you ready to block the personal/gaming/questionable sites they visit that would otherwise be blocked if they were in the office? Can you ensure they are not siphoning data off your network through their computer or a removable media device? Can you manage their system's security settings and protection software? What about your phone system extending out...etc. It's all much more cost than people think, if you want it done wholistically.

BUT WAIT! DON'T STOP READING! I DO ACTUALLY THINK YOU HAVE A POINT! :)

You briefly mention that conslutant groups may benefit from this, and I think you have a point! Outsourcing costly security functions may actually be a growth spurt in a recession. And not just security, but many technology functions. It is expensive to maintain the technological architecture for business these days, let alone the cost of doing it securely. And unless you're in a tech industry, those costs do nothing to improve your business bottomline. It might just make sense to out-source these functions to groups that may cost less, may have more expertise than you'd ever get internally.

Is this an improvement? I'd say no, usually. I still feel you're better off spending money on the salaries for security staff.

The dangerous part is when such conslutancies get too many clients and thus can't provide very good service at all. Which can you manage better as a security conslutant: 4 clients with whom you are intimate, or 25 clients you barely know and have to rely on automated alerts and uncustomized solutions?

Re: Hard Drive Forensics Question

2008-10-09T09:37:22Z

On 2008-10-08 J. Oquendo wrote:
> On Wed, 08 Oct 2008, Ansgar Wiechers wrote:
>>> And that would do?
>>> http://www.ontrackdatarecovery.co.uk/columbia-drive-recovery/
>>
>> I don't think so. How was that disk wiped?
>
> Wiped? That drive was recovered from the Space Shuttle that blew up.

Ah, sorry, I failed to understand what you were getting at. It was late.

Yes, a furnace heating the drive at least above the Curie temperature of
the drive's platters (and keep it at that temperature for some time)
would indeed do, AFAICS. An explosion is a very different situation,
because the destructive effects come primarily from volume expansion
(i.e. physical force) and to a much lesser extent from heat. Also the
objects are exposed to the heat only for a very short period of time,
meaning that the casing (or other physical barriers between platters and
the center of the explosion) will shield the platters from the heat,
thus reducing the thermal effects even more.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Paper on data recovery from wiped disks (was: bugtraq@planetcobalt.net)

2008-10-09T08:32:05Z

On 2008-10-09 Craig Wright wrote:

> Myself, Dave Kleiman and Shyaam Sundhar R.S. have a paper submitted
> and accepted for ICISS08 (the Fourth International Conference on
> Information Systems Security (2008)). The paper is titled,
> "Overwriting Hard Drive Data: The Great Wiping Controversy".
>
> The abstract follows:
> "Abstract. Often we hear controversial opinions in digital forensics
> on the required or desired number of passes to utilize for properly
> overwriting, sometimes referred to as wiping or erasing, a modern hard
> drive. The controversy has caused much misconception, with persons
> commonly quoting that data can be recovered if it has only been
> overwritten once or twice. Moreover, referencing that it actually
> takes up to ten, and even as many as 35 (referred to as the Gutmann
> scheme because of the 1996 Secure Deletion of Data from Magnetic and
> Solid-State Memory published paper by Peter Gutmann) passes to
> securely overwrite the previous data. One of the chief controversies
> is that if a head positioning system is not exact enough, new data
> written to a drive may not be written back to the precise location of
> the original data. We demonstrate that the controversy surrounding
> this topic is unfounded."
>
> The paper is to presented in December this year and is being published
> under the LNCS (Lecture notes in Computer Science) series from
> Springer Verlag.

Sounds interesting. I'll be looking forward to reading your paper.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

RE: Tools for monitoring traffic to specific websites

2008-10-09T03:33:20Z

It's the same here.
Websense works like a charm. Gives us lots of information of what type of
traffic our users produce. Even helpful to find computers infested with
spyware, etc.

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Navroz Shariff
Sent: den 8 oktober 2008 19:03
To: dongle
Cc: infolookup@...; Murda Mcloud; security-basics@...
Subject: Re: Tools for monitoring traffic to specific websites

Websense works wonders for us.

On Tue, Oct 7, 2008 at 11:54 PM, dongle <bakerga@...> wrote:

>
> NTOP...
>
> solarwinds has a new free netflow collector for one
> interface off a cisco router that might work for you
> also...
>
>
> --- infolookup@... wrote:
>
>> The proxy that I am using can do logging but it is
>> not designed for that, and since its already being
>> over utilize we are looking for a second option.
>>
>> Someone mentioned wireshark, but I would have to
>> leave a sniffer on for weeks that way to get a base
>> line, not to mention its hard to cart the results.
>> ------Original Message------
>> From: Murda Mcloud
>> To: 'Research Lookup'
>> To: security-basics@...
>> Sent: Oct 7, 2008 6:35 PM
>> Subject: RE: Tools for monitoring traffic to
>> specific websites
>>
>> What proxy are you using? Sounds strange that it has
>> no logging
>> capabilities.
>>
>> > >-----Original Message-----
>> > >From: listbounce@...
>> [mailto:listbounce@...]
>> > >On Behalf Of Research Lookup
>> > >Sent: Tuesday, October 07, 2008 7:09 AM
>> > >To: security-basics@...
>> > >Subject: Tools for monitoring traffic to specific
>> websites
>> > >
>> > >Hello all,
>> > >
>> > > I am trying to monitoring the daily web traffic
>> to sites a few
>> > >specific web sites, we are using a proxy server
>> to block and allow
>> > >access to various sites, however the server is
>> not capable of meeting
>> > >this request. I was wondering if there is an
>> application I can use to
>> > >monitoring say the daily or weekly traffic going
>> to www.example.com,
>> > >and www.test.net?
>>
>>
>>
>> Sent from my Verizon Wireless BlackBerry
>
>

smime.p7s (4K) Download Attachment

Re: Impact of Global recession on Security !

2008-10-08T21:50:36Z

Hi Aditya

> 1) Increase on vulnerabilities, risks, threats, easy availability of
> hacking tools, Cyber Terrorism etc will demand strict countermeasures
> which cannot be ignored.These things will make sure that the security
> budget will stay intact.

Your point here has nothing to do with the recession right?
Vulnerabilities and risk were already there before the recession.
Therefore I think this point does not contribute to the question of
whether budget will be impacted or not, except you assume that the
recession leads to additional risks.

> 2) During the recession time, companies will not want their business
> to be impacted due to security reasons and hamper the revenue even
> further.

That's a good point. However, I'm not sure whether the decision makers
will have sustainable thoughts. If they need to shorten the budget,
information security will be impacted too.

> 3) Need of Industry certifications will rise.

I'm not sure about that.

> 4) Companies will invest in remote access solutions like SSL VPN etc
> so that people can work from home than travel to office as a part of
> cost cutting.

I think this is only the case in US. By the way. the cost cutting due
to homw work is not on the company side. If you are able to stay at
home, then the employer saves costs not the employee.

My believe is that costs in it security will be cut as well.

rgds
Joe

Re: Java Enterprise Safe ??

2008-10-08T21:33:14Z

Hello Mate

The damage a java application can do does not depend on java itself.
It depends rather on the programmer writing the code. If you are not
doing proper input and output validation, then your java application
can have serious issues with XXS and SQL injection. These bugs however
are introduced by the programmer and not by java.

One really good thing is, that there are not buffer overflows (a major
issues in C/C++ programs) in java.

If you care about all the security issues, then you can write pretty
safe code in java. Just keep in mind; it is about the programmer not
the technology!

Regards
Joe

On Tue, Oct 7, 2008 at 8:48 AM, Mattias Hemmmingsson
<mattias@...> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> God morning
>
> We are now working with java enterprise at the glassfish server.
> And a come of thinking how secure is java really ?
>
>
> If you look att OWASP home page you can find the ten most common
> security risk against java,
>
> So with XSS how mutch damiage can you do to the system ore can you
> only change the clients view ?
>
> Sql injection is it poosible to do with java enterprise ?
>
> And the big one JAS ( java auth system or somthing like that) How safe
> is it realy ?
>
>
> // matte
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFI6wZUNJQJ1TN4TrgRAi90AJwJJxGG1fdpNrJWMGShU+kEpf2GmACfaeSs
> T0OutNQWyeyb6bu4kbiVOn8=
> =ZJBA
> -----END PGP SIGNATURE-----
>
>

RE: IT crime investigation courses

2008-10-08T20:50:48Z

Not exactly an IT crime course but I have done the SANS GCFA course and it
is an excellent grounding in digital forensics. Hands on and theory.
Many of the other courses are quite software specific afaik.

> >-----Original Message-----
> >From: listbounce@... [mailto:listbounce@...]
> >On Behalf Of Ahmad AlOwfi
> >Sent: Wednesday, October 08, 2008 1:15 PM
> >To: security-basics@...
> >Cc: listbounce@...
> >Subject: IT crime investigation courses
> >
> >Hello everyone
> >
> >I would like to get Courses in IT crime investigation , anyone can help
> >me
> >in that?
> >
> >
> >Thank you
> >
> >...................
> >Best regards,
> >Ahmad AlOwfi
> >Project Manager
> >Network & Information Security Consultant

RE: Hard Drive Forensics Question

2008-10-08T20:22:45Z

Hi Matt,
Thanks for the link to that forum.
You may also be interested in something else that everyone seems to have
taken as gospel:

http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

I would take Mr Barila's word on it but I would rather see him prove it and
have others say yes it has been done, and here is the evidence, and here is
a paper, and here are my peers(ie people much smarter than me) agreeing
after rigorously scrutinising.
In fact I'd love it if anyone did that. I'm all for pushing back the
boundaries of knowledge.

I see that Mr Barila does not actually say that he has performed such a
recovery. Just that it is possible on a single bit. Or that he believes it
to be possible.
His reasoning appears to be logical and correct. But is it possible?

>>Then you can subtract that ideal value and see what the second generation
>>previous values were. It does require specialized equipment, but it's not
>>TLA-named governmental entity kind of equipment, just "highly motivated
>>party" kind of equipment. I'm told there are commercial entities in Russia
>>that do this, though I have no first-hand knowledge of that.

To recover in this way, try and calculate the probabilities of getting
enough bits 'right' when doing electron tunneling microscope(or whatever
high end equipment your Russians might be using) just to recover a single
1024kb file. Now do it for a 100Gb drive. How many bits are on that drive?
Sure, there may be a 'high' probability of getting one bit right but
millions of them?

Ansgar mentioned newer drives too, for a reason. Because they are more
accurate at the whole 1 and 0 thing and at writing in exactly the same
'spot'. Not to mention bigger. As for SS drives, I don't know what the
thinking is.

Thanks

> >-----Original Message-----
> >From: Matt [mailto:matt-martin@...]
> >Sent: Wednesday, October 08, 2008 6:51 PM
> >To: Murda Mcloud
> >Subject: Re: Hard Drive Forensics Question
> >
> >Murda Mcloud wrote:
> >
> >Hello all,
> >
> >I've been lurking here for the last 6 months or so and this thread
> >caught my eye.
> >
> >I'd agree about most of the comments in this thread with the exception
> >of a few regarding data recovery after a file has been 'zeroed'
> >and whether there is any benefit to using random data during the
> >overwrite.
> >
> >The below thread/link was responded to by a senior engineer from a well
> >known
> >disk manufacturer, and according to him - data can be recovered after
> >being
> >over-written with new data (several generations back).
> >
> >Given Mr. Barila has decades of experience and plays an active role in
> >the design
> >and development of mass storage devices along with the supporting
> >firmware,
> >I'll take his word for it...
> >
> >http://www.osronline.com/showThread.cfm?link=92173
> >
> >Regards,
> >
> >m
> >
> >(P.S. - First, I was the OP in the above thread, and second, do keep in
> >mind
> >that the responder (Mr. Barila) has access to a lot of lab equipment
> >that very
> >few people do... )
> >
> >>>> Which is more likely to appear on a normal hard drive that has not
> >>>> been tampered with or set up: Entire blocks of 0s, or random
> >malformed
> >>>> data?
> >>>>
> >>
> >> In the case of the OP, I get the feeling that if someone examined the
> >drive
> >> they could easily draw the conclusion that the drive had been
> >'tampered'
> >> with either way. Whether there were 0s or randoms on it.
> >> It still doesn't matter which method you use. No-one is going to get
> >any
> >> data from it but I just wanted to see why you said random data were
> >better.
> >> I don't agree that your reason makes it 'better'.
> >> As Ansgar pointed out, finding a credible report on data recovery from
> >a
> >> zeroed(if that is a verb) drive is impossible.
> >> You can always take the challenge if you believe otherwise:
> >>
> >> http://16systems.com/zero/index.html
> >>
> >>
> >> And I still don't understand why you said:
> >>
> >>
> >>>> Delete it so as to be able to write over it again. Multiple write-
> >overs
> >>>>
> >> ensure that no data may be recovered.
> >>
> >> My lack of understanding may be because I'm not seeing what benefit you
> >are
> >> trying to gain from the 'deleting'. I thought that you could overwrite
> >> something without the need for first deleting it but perhaps you know
> >> something that I don't.
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>>> -----Original Message-----
> >>>> From: Razi Shaban [mailto:razishaban@...]
> >>>> Sent: Monday, October 06, 2008 11:25 PM
> >>>> To: Murda Mcloud
> >>>> Cc: security-basics@...
> >>>> Subject: Re: Hard Drive Forensics Question
> >>>>
> >>>> On Mon, Oct 6, 2008 at 7:00 AM, Murda Mcloud
> ><murdamcloud@...>
> >>>>
> >>>> I won't reply to the first part, as I feel that it doesn't really
> >need
> >>>> much more elaboration.
> >>>>
> >>>>
> >>>>>>>> And why do you feel that random is better?
> >>>>>>>>
> >>>>>>> If it is actual files that are copied, they may be recovered.
> >>>>>>> Depending on the nature of those files, opinions could be made
> >either
> >>>>>>> way. If it's random data, nothing can be retrieved and they are
> >left
> >>>>>>> with nothing to work with. If they are accusing him of wrong-doing
> >>>>>>> that he is innocent of, he should leave them with as little as
> >>>>>>> possible to work with, in my opinion.
> >>>>>>>
> >>>>> Maybe I should have asked, "Why do you feel that random is better
> >than
> >>>>> something else eg 0's?"
> >>>>>
> >>>>> I don't think it matters whether it's random or not-overwrite
> >something
> >>>>>
> >>>> and
> >>>>
> >>>>> it's overwritten. Which means it's unrecoverable. Some apps will
> >>>>>
> >>>> overwrite
> >>>>
> >>>>> with random numbers. Eg DBAN
> >>>>> If someone sees a pattern in the hard drive after I do
> >>>>> dd if=/dev/zero of=/dev/hdax
> >>>>> because it's not random they would be right. It's not random.
> >However,
> >>>>>
> >>>> can
> >>>>
> >>>>> they see any files I had on there before? No.
> >>>>>
> >>>>>
> >>>> Which is more likely to appear on a normal hard drive that has not
> >>>> been tampered with or set up: Entire blocks of 0s, or random
> >malformed
> >>>> data?
> >>>>
> >>>> --
> >>>> Razi
> >>>>
> >>
> >>
> >>