Security and Virtualization

April 30, 2008 – 7:00 AM

As the world of virtualization moves forward, organisations are faced with compelling reasons to virtualize: factors like server consolidation, high energy bills, faster hardware, ease of use and step back and quick snapshot technology make the virtual computing realm become more attractive.

In some organisations virtualization has already become a large part of the infrastructure.  Once again technology has outrun the security best practices.  This does not have to be the case as many companies hasten the virtualization process.

Virtual environments are becoming more popular as disaster recovery and business continuity solutions, particularly in the financial industry.  This is relevant because some of these solutions are in a semi-live environment and typically get forgotten in the update and security protection process.

Read the rest of the story…

Posted in Hardware, Internet, Networking, Privacy, Security, Software | No Comments

Securing Your Web Browser

April 30, 2008 – 5:19 AM

This paper will help you configure your web browser for safer internet surfing. It is written for home computer users, students, small business workers, and any other person who works with limited Information Technology (IT) support and broadband (cable modem, DSL) or dial-up connectivity. Although the information in this document may be applicable to users with formal IT support as well, organizational IT policies should supersede these recommendations. If you are responsible for IT policies for your organization, please consider implementing these recommendations as part of your policy.

Today, web browsers such as Internet Explorer, Mozilla Firefox, and Apple Safari (to name a few), are installed on almost all computers. Because web browsers are used so frequently, it is vital to configure them securely. Often, the web browser that comes with an operating system is not set up in a secure default configuration. Not securing your web browser can lead quickly to a variety of computer problems caused by anything from spyware being installed without your knowledge to intruders taking control of your computer.

Ideally, computer users should evaluate the risks from the software they use. Many computers are sold with software already loaded. Whether installed by a computer manufacturer, operating system maker, Internet Service Provider, or by a retail store, the first step in assessing the vulnerability of your computer is to find out what software is installed and how one program will interact with another. Unfortunately, it is not practical for most people to perform this level of analysis.

There is an increasing threat from software attacks that take advantage of vulnerable web browsers. We have observed a trend whereby new software vulnerabilities are exploited and directed at web browsers through use of compromised or malicious web sites.

Read the rest of the story…

Posted in Internet, Linux, Privacy, Security, Windows | No Comments

Stop XSS attacks with SafeHTML

April 30, 2008 – 4:42 AM

If you allow user-contributed content in your site, you run into the problem of dealing with user supplied HTML in a safe manner. The most secure way of dealing with things, of course, is to strip or escape all HTML from user input fields. Unfortunately, there are many situations where it would be nice to allow a large subset of HTML input, but block out anything potentially dangerous.

SafeHTML is a lightweight PHP user input sanitizer that does just that. Just run any input field through the SafeHTML filter and any javascript, object tags, or layout breaking tags will be stripped from the supplied text. It also does a reasonable job of correcting any gnarly, malformed code, which is also a common problem with user-contributed data.

Using it is easy. Just instantiate the SafeHTML object and call its parse method:

require_once('classes/safehtml.php');
$safehtml =& new SafeHTML();

if ( isset( $_POST[“inputfield”] ) )
{
$inputfield=$_POST[“inputfield”];
$cleaninput = $safehtml->parse($inputfield);
}

This will take the posted “inputfield” parameter, strip any baddies, XHTMLify what’s left, and the result will be stored in the $cleaninput variable. It’s a simple addition to your code, and a lot more straightforward than trying to roll your own.

My only beef with the package is that it’s written with a default allow policy, stripping out tags that are in its deleteTags array, but essentially allowing anything else through. If you’d rather only let through tags that you specifically want to allow, I’d recommend adding an allowTags array and adjusting the _openHandler method, adding the following after the deleteTags check:

if ( ! in_array($name, $this->allowTags)) {
return true;
}

You’ll need to fill allowTags with everything you know to be safe and welcome, and you may miss a few that people will end up wanting to legitimately use, but this is easily corrected and the default deny policy is much safer in the long run.

SafeHTML – an anti-XSS HTML parser, written in PHP

Source: Hackszine

Posted in Coding, Internet, Security | No Comments

Microsoft Gives Vista Backdoor Keys To The Police

April 29, 2008 – 12:29 PM

It’s long been assumed that Microsoft has built in various “backdoors” for law enforcement to get around its own security, but now reader Kevin Stapp writes in to let us know that the company has also been literally handing out the keys to law enforcement. Apparently, they’re giving out special USB keys that simply get around Microsoft’s security, allowing the holder of the key to very quickly get forensic information (including internet surfing history), passwords and supposedly encrypted data off of a laptop. While you can understand why police like this, the very fact that the backdoor is there and that a bunch of these USB keys are out there pretty much guarantees that those with nefarious intent also have such keys. The second you build in such backdoors, no matter how noble the reason, you can rest assured that they will be used by criminals as well. No matter what, for those of you who didn’t already know it, now you have more evidence as to why trusting Microsoft’s “security” isn’t such a good idea.

Source: Techdirt

Posted in Hardware, Privacy, Security, Windows | No Comments

New versions of fgdump and pwdump released

April 29, 2008 – 4:46 AM

The latest versions of fgdump and pwdump have been released by the foofus.net team. Looks like the most important change is that both tools support 64-bit targets. Here is the official announcement:

“The foofus.net team is pleased to announce updates to both fgdump (2.0.0) and pwdump (1.7.1), which incorporate a number of new features, the most significant of which is that both tools now support 64-bit targets.

We are also pleased to announce the creation of a mailing list for the purposes of tool support, bug reports, feature requests and new revision announcements. This mailing list currently covers fgdump, pwdump and medusa. Feel free to sign up at http://lists.foofus.net/listinfo.cgi/foofus-tools-foofus.net.
For all the details on the latest fgdump and pwdump releases, please visit their home pages:

http://www.foofus.net/fizzgig/fgdump
http://www.foofus.net/fizzgig/pwdump”

If you don’t know what fgdump is and how it differs from pwdump…basically, fgdump attempts to shutdown local anti-virus before attempting to dump the password hashes and it also pulls cached credentials. Fgdump is a great tool if you still need to dump the hashes of a system (which in a pentest I always like to conduct a password strength test for clients by running hashes through John (large wordlist and incremental mode). Once you have the hash, you can also use a “pass-the-hash” utility like the one created by the foofus.net team (for Linux) or the one released by Core Security Technologies (for Windows).

Source: Spylogic

Posted in Coding, Linux, Privacy, Security | 1 Comment