Security Basics

Security Basics

• Re: Is Outlook Anywhere secure? -

  Posted by Andre Pawlowski on Sep 02

  After I searched a lot in the net about this topic I often found my
  eMail in this list.
  
  Now I have done my research and configuration to this topic and want to
  give others a hint where to look. I wrote informations and
  configurations about this topic in my blog (only in german)
  
  http://blog.h4des.org/index.php?/archives/279-TMG-als-Proxy-Outlook-Anywhere-hardening.html
  
  So feel free to use it and feel free to ask if something bothers you....
  
• using cvss to assess process problems -

  Posted by robsonde on Sep 02

  our IT managers have ask that we use CVSS to assess security issues for the last few months.
  
  we have quite a good understanding of the system when it is used for "bugs".
  
  but we have a few security issues that are more of a failure of process, people doing the wrong thing and such like.
  
  these risks don't fit the CVSS frame work at all, but at the same time we can see that they are security issues that
  need to be assessed.
  
  for...
  
• Re: download by specified file type -

  Posted by J. Bakshi on Sep 02

  wget -r -A "*.gif" http://www.test.com
  
  -A >> accept
  
  -r >> recursive download
  
  ------------------------------------------------------------------------
  Securing Apache Web Server with thawte Digital Certificate
  In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
  it benefits your company and how your customers can tell if a site is secure. You will find out...
  
• Outlook anywhere -

  Posted by exzactly on Aug 31

  Has anyone else seen implementations of Outlook Anywhere? Personally I think
  its not needed and a security risk but I want to see what the community has
  to say.
  
  ------------------------------------------------------------------------
  Securing Apache Web Server with thawte Digital Certificate
  In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
  it benefits your company and how...
  
• download by specified file type -

  Posted by who cat on Aug 31

  I wanna know how to use wget or curl to download the specified file ,
  eg , download all the GIF file from the http://www.test.com
  How can i achieve that?
  Thanks!
  
  All you best
  ------------------------
  What we are struggling for ?
  The life or the life ?
  
  ------------------------------------------------------------------------
  Securing Apache Web Server with thawte Digital Certificate
  In this guide we examine the importance of Apache-SSL and who...
  
• RE: RainbowCrack rainbow table generate -

  Posted by Pete.LeMay on Aug 27

  Check out the tables at freerainbowtables.com. If those don't suit your needs, the forum has several discussions on
  this question.
  
  -----Original Message-----
  From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of win.a
  Sent: Wednesday, August 25, 2010 11:39 PM
  To: security-basics () securityfocus com
  Subject: RainbowCrack rainbow table generate
  
  i want to user rainbowcrack to generate the rainbow table, but...
  
• RainbowCrack rainbow table generate -

  Posted by win.a on Aug 26

  i want to user rainbowcrack to generate the rainbow table,
  but i don' how can i determine the parameter :
  chain_len
  chain_num
  is there a way to calculate it ?Anyone any suggestions are appreciate.
  
  All you best
  ------------------------
  What we are struggling for ?
  The life or the life ?
  
  ------------------------------------------------------------------------
  Securing Apache Web Server with thawte Digital Certificate
  In this guide we...
  
• Re: security advice -

  Posted by Erik on Aug 26

  Op 25-8-2010 9:14, Andrei Popescu schreef:
  
  Hi,
  
  Be warned! Usually it is never "only a counterstrike server". Do not
  trust the box and reinstall. I've seen and investigated a hacked box
  where it was thought to "only run a psybounce". It turned out a lot more
  was happening but since the kernel was made to shut up about it, it
  would not show the rest of the activities. It was a database server for
  provisioning an ISP. A...
  
• [HITB-Announce] HITB2010 SIGNINT Sessions -

  Posted by Hafez Kamal on Aug 26

  Hack In The Box is proud to announce, a brand new lightning session
  called HITB SIGINT (Signal Intelligence/Interrupt)! HITB SIGINT
  sessions are designed to provide a quick 15 minute overview for
  material and research that's up and coming - stuff that isn't quite
  ready for the mainstream tracks of the conference but deserve a mention
  nonetheless. Final year students who want to present their projects to
  industry experts are also strongly...
  
• RE: security advice -

  Posted by Andrei Popescu on Aug 25

  Hello,
  I had something like this also.. I still have all the files, but in
  my case the "hacker" just runned a CounterStrike server on my box. I have
  found the exploit in a website that I host, it was an oscommerce and it had
  a security issue in the pictures folder.. don't know how he had access but
  the thing is he managed to reinstall openssh and somehow he got the root
  password (not change it, I saw him logging in the...
  

Information Security

Info Security News

• Iran's Cyber Army Hacks 1, 000 US, British, French Gov't Websites -

  Posted by InfoSec News on Aug 31

  http://english.farsnews.com/newstext.php?nn=8906081424
  
  FARS News Agency
  2010-08-30
  
  TEHRAN (FNA)- An Iranian cyber group announced that it has hacked more
  than 1,000 important governmental websites of the US, Britain and France
  in protest at their support and financial aids to anti-Iran terrorist
  groups.
  
  "To commemorate the Day of Campaign against Terrorism and the martyrdom
  anniversary of (former Iranian President Mohammad Ali)...
  
• Darpa’s Star Hacker Looks to WikiLeak-Pr oof Pentagon -

  Posted by InfoSec News on Aug 31

  http://www.wired.com/dangerroom/2010/08/darpas-star-hacker-looks-to-wikileak-proof-the-pentagon/
  
  By Spencer Ackerman
  Danger Room
  Wired.com
  August 31, 2010
  
  Tomorrow's WikiLeakers may have to be sneakier than just dumping
  military docs onto a Lady Gaga disc. The futurists at Darpa are working
  on a project that would make it harder for troops to funnel classified
  material to WikiLeaks -- or to foreign governments. And that means if
  you work...
  
• State retiree data breached -

  Posted by InfoSec News on Aug 31

  http://www.delawareonline.com/article/20100831/NEWS02/8310324/State+retiree+data+breached
  
  By J.L. MILLER
  The News Journal
  August 31, 2010
  
  DOVER -- In a data breach that one security expert said could be worth
  millions of dollars to scam artists, Aon Consulting, the state's
  benefits consultant, inadvertently posted personal information of about
  22,000 state retirees on the Web, potentially exposing them to identity
  theft for the rest of...
  
• HP Holds Navy Network 'Hostage' for $3.3 Billion -

  Posted by InfoSec News on Aug 31

  http://www.wired.com/dangerroom/2010/08/hp-holds-navy-network-hostage/
  
  By Noah Shachtman
  Danger Room
  Wired.com
  August 31, 2010
  
  Someday, somehow, the U.S. Navy would like to run its networks -- maybe
  even own its computers again. After 10 years and nearly $10 billion,
  many sailors are tired of leasing their PCs, and relying on a private
  contractor to operate most of their data systems. Troops are sick of
  getting stuck with inboxes that hold...
  
• Focus on Secrecy Could Hamper Pentagon's Cybersecurity Plans -

  Posted by InfoSec News on Aug 31

  http://threatpost.com/en_us/blogs/focus-secrecy-could-hamper-pentagons-cybersecurity-plans-083010
  
  By Paul Roberts
  Threatpost.com
  08/30/2010
  
  The former head of the Department of Homeland Security's Cyber Security
  Division warns that the U.S. military's preoccupation with secrecy could
  hamper efforts to get the upper hand in cyber security.
  
  An article last week by the U.S Deputy Secretary of Defense put the U.S.
  military's cybersecurity plans...
  
• Obama to loosen rules on technology exports -

  Posted by InfoSec News on Aug 31

  http://www.washingtonpost.com/wp-dyn/content/article/2010/08/30/AR2010083004278.html
  
  By Howard Schneider
  Washington Post Staff Writer
  August 30, 2010
  
  The Obama administration is overhauling the decades-old rules for the
  export of sensitive military and other technology, jettisoning what
  industry groups criticize as an antiquated "Cold War" set of regulations
  for a more streamlined approach.
  
  After a year-long review by officials at...
  
• [Dataloss Weekly Summary] Week of Sunday, August 22, 2010 -

  Posted by InfoSec News on Aug 31

  ========================================================================
  
  Open Security Foundation - DataLossDB Weekly Summary
  Week of Sunday, August 22, 2010
  
  5 Incidents Added.
  
  ========================================================================
  
  DataLossDB is a research project aimed at documenting known and reported data loss incidents world-wide. The Open
  Security Foundation asks for contributions of new incidents and new data for...
  
• IT Security Unleashes Employee Complaints -

  Posted by InfoSec News on Aug 31

  http://www.informationweek.com/news/security/client/showArticle.jhtml?articleID=227101732
  
  By Mathew J. Schwartz
  InformationWeek
  August 30, 2010
  
  For 12% of CIOs, hearing complaints from employees over IT security
  measures -- specifically, limits on their access to certain types of
  websites or networks while using the office network -- is a common
  occurrence. Meanwhile, 29% of CIOs say such gripes are at least
  "somewhat common."...
  
• CALL FOR PARTICIPATION-3rd Summer School on Network and Information Security (NIS'10) -

  Posted by InfoSec News on Aug 29

  Forwarded from: Ioannis Askoxylakis <asko (at) ics.forth.gr>
  
  **************************************************************************
  
  SINCERE APOLOGIES IF YOU RECEIVE MULTIPLE COPIES OF THIS ANNOUNCEMENT
  
  ***************************************************************************
  CALL FOR PARTICIPATION
  3rd Summer School on Network and Information Security (NIS'10)
  Jointly organized by ENISA and FORTH
  13-17...
  
• Pentagon considers preemptive strikes as part of cyber-defense strategy -

  Posted by InfoSec News on Aug 29

  http://www.washingtonpost.com/wp-dyn/content/article/2010/08/28/AR2010082803849.html
  
  By Ellen Nakashima
  Washington Post Staff Writer
  August 28, 2010
  
  The Pentagon is contemplating an aggressive approach to defending its
  computer systems that includes preemptive actions such as knocking out
  parts of an adversary's computer network overseas - but it is still
  wrestling with how to pursue the strategy legally.
  
  The department is developing a...
  

Security Wire - Search Security News

Zero Day

Zero Day Blog RSS | ZDNet

• Barbers and security professionals - In this guest editorial, security research professional Michal Zalewski argues that the government should stay away from compulsory certification and licensing in the security industry.
• Google Chrome celebrates 2nd birthday with security patches - The Google Chrome 6.0, available in stable and beta channels for Windows, Mac, and Linux, patches a total of 15 documented security vunerabilities.
• Apple patches 13 iTunes security holes - The vulnerabilities expose Windows users to remote code execution attacks via maliciously crafted Web sites.
• Malware hosted on Google Code project site - Malicious hackers are using the Google Code repository to host Trojans horses, backdoors and password stealing keyloggers
• Microsoft ships 'Fix-It' for DLL load hijacking attack vector - Microsoft has released a Fix-It tool to help mitigate the latest DLL load hijacking issue that exposes Windows users to remote code execution attacks.
• RealPlayer haunted by 'critical' security holes - RealNetworks has shipped a critical update to address multiple vulnerabilities, some serious enough to allow a remote, unauthenticated attacker to execute arbitrary code or obtain sensitive information.
• Verizon DBIR challenge clue #4 - Hopefully, this should be the last clue: “If you’ve found the p(f+) in a fingerprint, you should be able to find the key.”
• Critical security holes in Adobe Shockwave - The vulnerabilities, rated “critical,” affect Shockwave Player 11.5.7.609 and earlier versions for Windows and Macintosh.
• Apple patches 13 Mac OS X vulnerabilities - The patch includes fixes for security holes in several open-source components, including ClamAV and PHP.
• ATM makers patch Black Hat cash-dispensing flaw - Two automated teller machine (ATM) manufacturers have shipped patches to block the cash-dispensing attack demonstrated by researcher Barnaby Jack at this year’s Black Hat conference.

Threat Post

threatpost - The First Stop for Security News

• Microsoft Releases New Version of EMET Exploit Mitigation Toolkit -

  Mitigation has become the word of the moment at Microsoft, and the company on Thursday continued its recent flow of tools designed to lessen the effectiveness of certain attacks with the release of version 2.0 of its Enhanced Mitigation Experience Toolkit.

  Shorten URL: . Click to copy to clipboard or post to Twitter
• Discover Will Receive $5 Mil from Heartland Breach -

  Heartland Payment Systems has agreed to pay $5 million to Discover to settle claims arising from the massive data breach disclosed by the payment processor last year. Read the full article. [Computerworld]

  Shorten URL: . Click to copy to clipboard or post to Twitter
• Google Releases Chrome 6 With 14 Security Updates -

  Google has released a new version of its Chrome browser and has included more than a dozen security fixes in the update. The new version, 6.0.472.53, was released two years to the day after the company pushed out the first version of Chrome.

  Shorten URL: . Click to copy to clipboard or post to Twitter
• Apple Uses Security Advisory to Push iTunes 10 Upgrade -

  Social networking features, a rockin' new logo and GUI improvements aren't the only reason you should upgrade to iTunes 10, says Apple. The update to Apple's popular music player software, released on Wednesday, also fixes a bunch of gaping vulnerabilities that could make earlier versions susceptible to Web based attacks.

  Shorten URL: . Click to copy to clipboard or post to Twitter
• Demo of CVE-2010-2862 Adobe Reader Flaw Exploit -

  In this video, Niklas Wolff of the CSIS Security Group demonstrates an exploit for the recent integer overflow vulnerability in Adobe Reader (CVE-2010-2862), disclosed at Black Hat in July, that allows remote code execution.

  Shorten URL: . Click to copy to clipboard or post to Twitter
• Online Bank Fraud Hammering Small Businesses -

  Online bank fraud, for all of its obvious ploys and tired tactics, is still a remarkably effective way to make money. Too lazy or clueless to get a real job? Go phishing. Lots of people are doing it, and by some estimates, it's evolving into a nearly $1 billion business.

  Shorten URL: . Click to copy to clipboard or post to Twitter
• Researcher Will Demo Bypass of Windows Service Isolation Feature -

  A prominent researcher will use an upcoming security conference in Buenos Aires to demonstrate  an exploit that allows hackers to bypass the Windows Service Isolation feature, despite Microsoft's efforts to close the security loophole.

  Shorten URL: . Click to copy to clipboard or post to Twitter
• Researcher Finds HP Printer Security Flaw -

  A cybersecurity researcher has discovered an easy way for a hacker to swipe copies of documents scanned by Hewlett-Packard all-in-one printers widely used in workplace settings. Read the full article. [The Last Watchdog]

  Shorten URL: . Click to copy to clipboard or post to Twitter
• Survey Scam Offers False Shelter From Surveys -

  Scammers are offering prospective marks an application that supposedly shields them from exposure to survey scams. Naturally, you first have to fill in a survey to install the script, which is punted through Userscripts(dot)org. Read the full article. [The Register]

  Shorten URL: . Click to copy to clipboard or post to Twitter
• Thieves Steal $1 Mil from Univ. of Virginia -

  Cyber crooks stole just shy of $1 million from a satellite campus of The University of Virginia last week. Read the full article. [KrebsonSecurity]

  Shorten URL: . Click to copy to clipboard or post to Twitter