Tuesday 31 October 2006

Pod Slurping

The most popular MP3 player, the Apple iPOD has sold 60 Million units since 2001. In addition to the iPOD there are many different and competing products in the portable music player space.

From a security standpoint the one thing they have in common is the ability to be plugged into a computer and copy huge amounts of data, possible confidential data, onto the device in a matter of a few minutes. This can be done very discreetly and easily.

A common misconception is that if the outside perimeter of your network is secured, with Firewalls and Routers, then your network is safe. Very little thought is given to the security of computers and data inside the perimeter and yet around 50% of all security breaches occur from inside the corporate firewall.

This is a very real problem, with no easy solution. If you are in charge of security for your organisation then it’s a problem you will want to address as it will not go away. There portable devices are getting smaller and their capacity is increasing.

One solution I am currently looking at is EndPointSecurity from GFI. It is not cheap, but then it probably costs a lot less than trying to fix the problems caused by your confidential data getting into the hands of your competitors.

“There’s a 4:30 in the morning now?” - Bart Simpson

Monday 30 October 2006

Penetration Testing: An Overview

Introduction
Penetration Testing is an attempt to break the security of a computer system or network, under instruction from the owners or maintainers of that facility. It is an attempt to simulate an attempted break in by a computer savvy criminal. A Penetration Test gives a snapshot of the security at a moment in time, and is not a full security audit.

If a criminal attempts to breach your computer network they will generally follow a sequence of five steps:
        Reconnaissance
        Scanning
        Gain Access
        Maintain Access
        Cover Tracks

It therefore makes sense that a Penetration Test follows a similar, although obviously not identical, sequence of events.

Planning and Preparation
This stage involves a meeting between the Penetration Tester and the Client. Key areas to be covered are: Scope, Objective, Timing and Duration. In addition documents must be signed to cover the Penetration Tester and the Client, generally in the form of a Non Disclosure Agreement (NDA).

Information Gathering and Analysis
This next stage involves the Penetration Tester finding as much information as possible about the company he will be asked to target. His first stop will probably be the companies own website, from there he may consult services such as www.netcraft.com, and Google Groups. The information he is looking for is Domain Names, Server Names, ISP Information, Host Addresses and anything else that will help him build a picture of the target. The second part of this process involves Port Scanning and OS Fingerprinting.

Vulnerability Detection
If Stage 2 has been successful then the Penetration Tester now has all the information he needs to make the decision as to what hosts to target, and with what vulnerabilities. Some techniques he may use at this stage include Password Cracking, SQL Injection, Rootkit, Social Engineering and Physical Security.

Analysis and Reporting
This is where the Penetration Tester reports back to his Client. The information he is going to present to the client, includes the following:
        An Overview of the work done
        Detailed Analysis of all Vulnerabilities
        Summary of Successful Penetration Attempts
        Suggestions for the next step

Finish Up
This is where the Penetration Tester makes sure that anything he has done in the course of his work will have no effect when he has finished. For example he will remove any backdoors and additional user accounts that he has created, leaving the system how he found it.

The above is a quick overview only of the procedures that may be followed by a Penetration Tester while undertaking their assignment.

Research
Conducting a Penetration Test on an Organisation: Chan Tuck Wai 2002
Penetration Testing and Network Defence: Andrew Whitaker and Daniel Newman 2005

“Don’t eat me! I have a wife and kids. Eat them!” - Homer Simpson

Tuesday 17 October 2006

Skype Home Security !

Here’s a tip I picked up from Lifehacker.

How to use Skype as a ‘Dial In Home Security System’

1) Open two New Accounts.

2) On Account 1 add NewUser2 as your ONLY contact.

3) Login again as Account 1 and set as follows:
        Go to Tools-->Options-->Advanced-->(tick) Automatically Answer Incoming Calls-->

then go to Tools-->Options-->Video-->(tick) Start Video Automatically and Only People in My Contacts-->Save.
Leave this account online.

4) Log in as Account 2 from another Computer.
Call Account 1, this will now answer and start the video running, any one else calling this account, will not get activated or see your private Web Cam.

Pretty Cool

"It is difficult to say what is impossible, for the dream of yesterday is the hope of today and the reality of tomorrow." - Robert H Goddard

Sunday 15 October 2006

Living Congruently

Apparently, according to Steve Pavlina, the key to living congruently is aligning yourself so that the following four questions all produce the same answer:

        What do you want to do ? (Desire)
        What can you do ? (Ability)
        What should you do ? (Purpose)
        What must you do ? (Need)

It’s a little like searching for the Holy Grail !

"It is best to do things systematically, since we are only human, and disorder is our worst enemy." - Hesiod