Layoff backlash: Five steps to protect your business from angry ex-employees
I thought this article was a good read and thought I'd share it.

Layoff backlash: Five steps to protect your business from angry ex-employees Layoffs can spark destructive behavior.

Take these steps to protect your company.

By Julia King

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=Security&articleId=333732&taxonomyId=17&intsrc=kc_li_story

March 2, 2009 (Computerworld) A senior corporate executive leaves the company, taking with him his framed family photographs, his prized gold pen-and-pencil set -- and the passwords of several hundred employees.

One of your firm's most experienced sales reps hears a rumor that she is sure to be laid off. And she is, but before she gets her pink slip at the beginning of the next quarter, she manages to download to her Gmail account a long list of A-plus customers and their ordering and payment histories.

If you're thinking "Never at my company" or "Not my employees," think again. ( Read the whole thing... Collapse )

(Comment on this)

OH NOES!
LOL meets "The Matrix" meets VM rootkits...




Current Mood: amused

(Comment on this)

so I am wondering..
I am intrested in getting into the IT security field and was wondering which certifcations I should obtain such as CCNP or maybe the CCSP. And also roughly what the salary would be. 

I will cross-post everywhere! 

(3 Comments |Comment on this)

MediaDefender "scandal"
So what is everyone's thoughts on the on-going MediaDefender stories?

For anyone not familiar with what's going on with it, you can get the current back story here.

I do apologize, yes that is my own blog, and I hate to self promote my own writings. I just wrote about it in my infosec blog earlier, since its a pretty big deal and many mainstreamers who use P2P or may just care about the (IMO) unethical business practices had not heard about the story or series of events since July.

Cross posted.

(Comment on this)

Article: Nevada governor accidentally posts Outlook password
WTF? DOH!

http://www.politechbot.com/2007/07/20/whoops-nevada-governor/

In what could be a whopping security hole, Nevada has posted the password to the gubernatorial e-mail account on its official state Web site. It appears in a Microsoft Word file giving step-by-step instructions on how aides should send out the governor's weekly e-mail updates, which has, as a second file shows, 13,105 subscribers.

The Outlook username is, by the way, "governor" and the password is "kennyc". We should note at this point that the former Nevada governor, a Republican, is Kenny C. Guinn, which hardly says much about password security.

Current Mood: amused

(Comment on this)

It Began with an E-Mail

Thought the group might like this.


So I got an unsolicited e-mail yesterday and it turned out to be a pretty blatant phishing attempt related to...wait for it...PayPal. To make a long story short here, I had some free time on my hands so I began investigating this particular e-mail by looking at the message header as well as the phishing site which was setup to collect people's personal data, etc. After a short while, I was able to determine that both the phishing site as well as the origin of the e-mail were both on the same ISP and from two seperate, but geographically close locations to each other in the Los Angeles county area. I was also able to link this attack to an underground Chinese hacking group who seemed to be located in the same area.

Well at this point, I thought it would be a good idea to start compiling notes and make a report to submit to the LA County Sheriff's Department and depending on the response, the California Department of Justice, the F.B.I., the Secret Service or the Department of Homeland Security. And then of course some of the local news papers and news stations in LA and even the national news. I realize that one phishing attack isn't such a big deal, but with the amount of evidence I had compiled and the ease with which warrants would of been able to be obtained, this would've been a slam dunk and could potentially have led to the arrests of an entire underground hacking group. Also, California specifically has a state law to use when prosecuting cases related to phishing in their "Anti-Phishing Act of 2005."

Yes, I can be pretty optimistic sometimes.

Well this is where things get interesting, and where the purpose for my post here begins. Before I finished compiling all my notes and generating a report, I stopped for the day and decided I would pick up again today. This morning I noticed that I didn't have the link to the actual phishing site itself written down. In the e-mail, the unsub included a link to a page which had been hacked and was redirecting users to the phishing site in LA...I didn't have the URL for that site or the IP, and when I went back to the page which was redirecting, I was greeted with something entirely different.

The redirect page had been replaced with a page letting everyone know that the e-mail they received was not legitimate and was a phishing attempt and included links to a description of what phishing was and an e-mail address for people who wanted to report more instances of phishing, etc. Well this wasn't what I was looking for - I needed the IP address of the original phishing site. So I sent an e-mail to the person who put this new page up asking them if they had the original page which was there with a justification behind why I wanted it.

The response I recieved was from the owner of this anti-phishing site who claims to make it a personal mission of his to thwart phishers. Very admirable, but after a few back-and-forth e-mails with this man I learned a few things and definately questioned his actions. In his response to me he stated that he had replaced the page himself and that he wasn't sure he had the original still, but that he would look. In my second e-mail to him, I asked him as an aside, that if he wasn't able to get in touch with the owner of the site or the ISP (which he claimed would be a waste of time), how he had replaced the phisher's page with his own. His response was that there was an account on that site with a very weak password which he found and was very common, and that if he couldn't take down the phisher's site, changing the redirect page was just as good.

This set some bells and whistles off in my head.

My take on this was that not only what he did was also illegal and unethical - unauthorized access to a web server owned and operated by someone other than himself, but he had also possibly destroyed, and definately corrupted what could have potentially been very crucial evidence to the prosecution of the perpetrators of this phishing attack. The page itself would only have given me the IP of the original phishing site, which most likely has since been taken off-line, however the logs for the redirect web server may have indicated when the server was hacked and who had uploaded the redirect page, and had this IP tracked back to the same ISP in the same geographic location and maybe to one of the members of this group I'm tracking, that would've been the proverbial nail in the coffin.

Well I brought all of this to his attention and basically his response was that he didn't see how a redirect page would've been valuable in the grand scheme of things. Moreover, he wasn't concerned with his act of "ethical hacking" because in his experience, the FBI doesn't respond to electronic crimes where there is no monetary loss greater than $10,000 (which is acurate, but irrelevant). He also said that he saw himself as serving the greater good by preventing any further individuals from becoming a victim to this particular attack. Basically, his justification was vigilanteism.

I recommended to him that in the future he might want to first contact the owner of the site before accessing it (I was able to find both names, 5 phone numbers (both personal and work) and 2 e-mail addresses for the husband/wife team who owned and operated the site with a few brief searches) and before replacing anything, to first make a copy of the original content, including logs in the case that any criminal prosecution would arise. His response to that was that in his experience law enforcement took these kinds of "attacks" not very seriously at all but that he would be more diligent in the future.


And now my 2 comments for the group. First, what's your opinion of what transpired, as it was related? And secondly, and more important, in your ITSEC travels, please, please be aware of issues such as chain-of-custody, evidence contamination and what is legally permissible when it comes to computer crimes and computer forensics!!!



Thank you,
Jeff Caplan
Systems Security Analyst


x-posted

Current Mood: frustrated

(7 Comments |Comment on this)

Reminder - Computers, Freedom & Privacy 2007

Debate the Future at the 17th annual Computers Freedom and Privacy
Conference, 1-4 May 2007 at the Hilton Bonaventure Hotel in
Montreal, Quebec. WWW.CFP2007.ORG
( Read more...Collapse )

x-posted

(Comment on this)

dynamic IPSEC solutions
The CIO at my company recently approached me asking for ways to encrypt ALL data going out over our WAN/between our branch locations. We have recently migrated from a frame relay network to a Metro Ethernet/MPLS combo allowing our remote branches to communicate directly with each other, bypassing the corporate hub. I am looking for something that would allow me to dynamically create IPSEC tunnels between all of my locations on the WAN.

Cisco's DMVPN solution seems to fit what we want, but I'm wondering if anyone else offers a similar solution.


x-posted

Current Mood: curious

(3 Comments |Comment on this)

Snort monitoring & trend analysis
I am looking at monitoring & trend analysis on the snort boxen. Thought I would take an informal poll as to what monitoring you folks are looking at (CPU load, memory, ETH throughput, number of alarms/minute, etc) and what are you using to formulate your trend (MRTG, Nagios with RRDtool, etc).


Any & all thoughts are appreciated - thanks!

x-posted

(Comment on this)

OSVDB LJ RSS syndicated feed fixed
FYI, the OSVDB LJ RSS syndicated feed is now fixed, and named osvdb_rss

You know, http://www.osvdb.org/ - The Open Source Vulnerability Database


x-posted

(Comment on this)

Needed: some ISS NIDS manuals
I am on a quest for some ISS NIDS manuals, specifically on the Realsecure Siteprotector Version 7 for a box I am trying to figure out the alerts on.

Any thoughts?

TIA!!



x-posted

(Comment on this)

Article: John the Ripper 1.7, by Solar Designer @ Security Focus
http://www.securityfocus.com/print/columnists/388

John the Ripper 1.7, by Solar Designer
Federico Biancuzzi,

Federico Biancuzzi interviews Solar Designer, creator of the popular John the Ripper password cracker. Solar Designer discusses what's new in version 1.7, the advantages of popular cryptographic hashes, the relative speed at which many passwords can now be cracked, and how one can choose strong passphrases (forget passwords) that are harder to break.

(Comment on this)

Port Monitor
I'm pretty sure something is sending spam through my Exchange server.. does anyone know of a windows tool that would help me see what processes are using port 25? I'm looking around Sysinternals but having a hard time figuring out if my solution is there.

Edit: It's not relaying for outside servers..it's just sending off a ton of data. I can't tell where at this point though I'm beginning to think it's a misconfiguration with my ISPs switch.

(7 Comments |Comment on this)

Livejournal Account Hacks
Details of the Livejournal Account Hacks

and Account Hijackings Force LiveJournal Changes

(Comment on this)

New community rule
Per the recent amandement to US Code TITLE 47> CHAPTER 5> SUBCHAPTER II> Part I > section 223 > a > 1 > C:

makes a telephone call or utilizes a telecommunications device, whether or not conversation or communication ensues, without disclosing his identity and with intent to annoy, abuse, threaten, or harass any person at the called number or who receives the communications

to include "any device or software that can be used to originate telecommunications or other types of communications that are transmitted, in whole or in part, by the Internet"

From now on you wish to flame anyone or such, you must, I cannot stress this enough you must disclose your identity. ;)

edited: to alter the link from LOC search to cornell law

(3 Comments |Comment on this)

Sony Rootkit Removal
If you have heard about SonyBMG's newest DRM technique, you will know that it opens you up to a lot security problems. Here is how to get rid of the software that they install:

This is copied from: http://www.freedom-to-tinker.com/?p=924

This DRM system operates only on recent versions of Windows. If you’re using MacOS or Linux, you have nothing to worry about from this particular DRM system. The instructions here apply to Windows XP.

How to tell whether the rootkit is on your computer: On the Start menu, choose Run. In the box that pops up, type this command:

cmd /k sc query $sys$aries

and hit the Enter key. If the response includes “STATE: 4 RUNNING”, then your machine is infected with the rootkit. If the response includes “The specified service does not exist as an installed service”, then your machine is not infected with the rootkit.

How to disable the rootkit: On the Start menu, choose Run. In the box that pops up, type this command:

cmd /k sc delete $sys$aries

and hit the Enter key. Then reboot your system, and the rootkit will be permanently disabled.

Note that this does not remove or disable the main anti-copying technologies. It only turns off the rootkit functionality that hides files, programs, and directory entries. The main DRM software is still present.

(Comment on this)

Sidestepping Websense
EDIT:
I've done a few things since I originally posted this.
1. I installed SecureIM on a colocated server and changed my AIM proxy to the internal IP and port
2. I used my own certificate server to create a PFX file and now all my AIM is encrypted
3. I installed Privoxy as suggested by an LJer and edited firefox and IE to use it
4. I setup a Google VPN connection and that's my new gateway. I checked and all my stuff is going through there now.

I'd say I probably only needed to do #2 and #4. The VPN isnt allowing Yahoo (competition?) though so I'm using VPN for AIM and SecureIM for Yahoo.

Original post
------------------
I'm in the IT department so I don't need to do this..but its a challenge for me.

Webense can track crap hardcore. From AIM to Web traffic. I want to install an AIM proxy on port.. 81 that perhaps looks like web traffic isnterad of AIM. I'd also like to install a proxy server (windows/linux doesnt matter) that would trick websense into not sniffing out port 80 hits.

Any suggestions? i'm not a security nerd so if my concepts are way silly, please forgive.

thanks

(4 Comments |Comment on this)

Free San Diego Event
What: Computer Security for Small Organizations
Where: (PacBell Building) 2375 Northside Drive, San Diego, CA
When: 18 Oct 2005 8am-5pm
Cost: Free

Summary:
How your data is vulnerable
What you can lose through an information security breach
Practical steps to protect your operations
How to use information security vendors and consultants
How to evaluate tools and techniques based on your needs

http://app1.sba.gov/calendar/states/EvntDtl1.cfm?&E1CNTR=194398

(Comment on this)

putty.exe and OpenSSH 3.4 on Solaris 8 Authorized_Keys
Ok, I ran puttygen for a SSH-2 DSA, all of my servers are communicating with SSH-2DSA keys. I run the export for OpenSSH, copy and paste the key into my authorized_keys files and do the following...

putty.exe username@servername and it prompts me for my password.

I've also tried it with the SSH-2RSA option.

What am I doing wrong? Better yet, how do you turn verobsity on for putty, that would help as well.

Current Mood: cranky

(4 Comments |Comment on this)

Centralized Logging for Windows
Is there really not decently legit way of setting up Centralized Logging on Win2k3? The closest I found is this: http://www.sans.org/rr/whitepapers/windows/1245.php

Wtf?

(1 Comment |Comment on this)