This is a topic that I have been thinking about for a long time and finally started creating some content for it. The idea is to create a series of posts, workshops and presentations that will help create security awareness at many levels. The topics will go across the board but I will be starting with those I think will have a greater impact in reducing the amount of low-hanging fruit out there.
The first hand-held mobile phone was demonstrated by Motorola in 1973 and since 90s, mobile phones have become one of the technologies that have the biggest impact on the way we live. Cell phones or mobile phones have reached an impressive 96.2% of the world population and have penetrations rates of over 100% in developed nations. This information technology has spread faster that any other, including TV, Radio and the Internet. Can you remember how we lived before cellphones?
Have you ever questioned the security best practices?
In the process of building / designing the infrastructure for a new project the following question was asked: “shouldn’t we use a reverse proxy to secure or protect the web servers?” Of course the first question I asked myself is “do reverse proxies provide real security?” or is this a best / common practice that has been adopted without foundation? Keep Reading →
I had the pleasure of attending WebOS Developer Workshop in Mainz on Saturday Thgtwi (@thgtwi) did a great job with the organization. SuVuK(@SuVuK_open) did a nice report on the contents of the Workshop in his blog.
I took the opportunity talk about Security in the WebOS platform. I ran some tests based on WebOS 3.X, which is currently available for the HP TouchPad and is being opensourced as Open WebOS. Keep Reading →
After reading for a while I found out that de Mozilla Foundation built in this protection for “Cross-Protocol” scripting attack with a form of Port Banning.
To overide this protection use one of the following steps:
- In the user’s profile directory the all.js, add the following line at the end of the file
- In the defaults/pref/ sub-directory of the installation directory (multi-user systems) add the following line at the end of the file
- Open a new window, in the address type: about:config and add a new entry of the type string with this name network.security.ports.banned.override and value 1-65535.
If you want to set free only one port change the range for that port o list of ports.
This is a topic that caught my eye a while ago and just found out it’s still an open issue.
According to their website:
SWIFT is the Society for Worldwide Interbank Financial Telecommunication, a member-owned cooperative through which the financial world conducts its business operations with speed, certainty and confidence. Over 8,300 banking organisations, securities institutions and corporate customers in more than 208 countries trust us every day to exchange millions of standardised financial messages.
So basically it’s the organization that manages the API’s and systems that make international banking work smoothly.
This Belgium based organization had it’s major databases in the US until an article in the NY Times aired that the CIA under the Bush administration had been data mining the database to find links to terrorism, after Europe protested the database was move to Holland. So the issue now is that the US intelligence agencies want to keep having unlimited access to spy on EU Citizens using the usual terrorism joker card.
I think this is a big issue and should be handled a such. There are some open questions I have to this deal:
What does a US or in fact any intelligence agency have to do with our financial records without a warrant?
Is every person in the world considered a potential terrorist?
Were are rights, are privacy?
While we’re at it: How long is this data retained? How is it guarded? Who makes sure it’s correctly discarded?
Benjamin Franklin summed this up better than I can ever try to:
They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety
I had a couple of scripts working in the back end of an application to create users and set the passwords. So instead of reinventing the wheel I used the ?trusty? useradd.
Until recently one could pass the users password in clear text as a parameter. I assume that someone thought about all the passwords that word saved in history files and decided to change it. The problem is that the used the same parameter but now it expected the password to be encrypted, so it basically stopped working but didn’t generate errors.
After some debugging and some man reading the problem was nailed down, but now I had to generate and encrypt the password. I looked and tried many solutions but the best I could find was the crypt library and decided to access is through perl. What I liked the most about the solution is that I could use all the same native algorithms that the system has installed.
So lets cut the chase, here are the 5 lines of code needed to get the job done:
salt=$(/usr/bin/mkpasswd -l 8 -s 0)
encrypted=$(perl -e “$parameter”)
/usr/sbin/useradd -p $encrypted <user>
To create a good salt I used the mkpasswd utility that comes with the expect package (yum install expect). In this case the $1 is not a variable, but the way of telling crypt to use MD5.
Other valid values for the Glibc crypt are:
|2a||Blowfish (not in mainline glibc; added in some Linux distributions)|
|5||SHA-256 (since glibc 2.7)|
|6||SHA-512 (since glibc 2.7)|
For more information http://www.kernel.org/doc/man-pages/online/pages/man3/crypt.3.html or simply: man crypt
I managed to get a few days away from the day job to attend the ISECOM Train the Trainer event in Barcelona (27-29 May) and it was really a great experience. Being that the event was for the certified or to be certified trainer crowd it was pretty intense and at the end of the last day my brain was jello.
It was great to finally meet Pete Herzog, who I had the pleasure of working with before on the Hacking Expossed book. I also got time to meet some of other European trainers, and it’s a good batch
I got to take the OPSA and OPST exams, the results should be due any time now. I really liked the format of both cert exams: hands on! For the OPST you have to shoot at a couple of live test systems to complete the results you need, and for the OPSA there is a little theory on the OSSTM, some shooting to be done but most of all analysis (hence the A in OPSA). I fried my brain on the last question, I didn’t notice at the begining that it was a packet dump that needed to be analyzed. So after 8 hours of class the 2.5h I took to complete the exam were the last effort.
For those of you who have no idea of what I’m talking about, you can find information on the OSSTM at http://www.isecom.org/