Just ran across this great metaphor and thought I would share
A security program is like a boat. If it’s poor, it’s like a boat
with holes in it. You can spent so much time plugging the holes and
bailing water that you fail to progress towards your destination.
However, if you take the time make your boat seaworthy, you will have
a much easier time getting where you’re going.
Earlier this year, I discovered that some WebDAV folders at my job were not configured securely. Long story short, it was bad. Not Everyone has access to Everything bad, but close. WebDAV is basically a file share served up by a web server (see the Wikipedia article on WebDAV for more details). If WebDAV is not configured securely, you are open to data theft, server compromise, and probably a lot more. I found some good information about securing WebDAV in various places and thought I would collect what I found in this post. (more…)
Just had the Unibroue 17 Grande Reserve. It’s a really nice beer (as usual from the folks at Unibroue). I do miss the yearly Unibroue releases. 16 was easily my favorite. But I’ll take 17 Grande Reserve any day. It actually smells like Trois Pistoles, but the color and flavor is lighter. You pick up some light wood from the French Oak and some sweetness from the dark ale. As always, Unibroue hides the 10% ABV very well.
17 in my Duvel glass
As I was reading the article detailing Mat Honan’s multiple account compromise (read the Wired article about it), I was surprised at how easy it was to completely subvert standard security processes around user verification. The entire hack was possible because the attackers were able to gather easily attainable information about Mr. Honan and then use that information against Amazon and Apple to gain access to Mr. Honan’s accounts.
So I asked myself, “What could have been done differently? How could these processes have been changed to prevent this attack?” The trick is to find something that is easy to use, hard to forge, and uses information that is hard to discover or intercept. Here are a few of the ideas that I and others have offered. (more…)
I was installing BeEF (The Browser Exploitation Framework) on Windows 7 and ran into a couple of problems. I eventually got all of them fixed, so I thought I would write up a proper installation guide for future reference. (more…)
Latest version of the script is here:
I’ve been tweaking the http-screenshot-html.nse script from my last post. I’ve added some features and modified some things: (more…)
Latest version of the script is here:
About a month ago, the folks at SpiderLabs created an NMAP NSE script to grab a screenshot of any scanned hosts that were running web services. (Read about it here). The guys over at Pauldotcom were talking about the script and how it would be cool if it could output the results with links and full header information. I decided this would be a good opportunity for me to learn some Lua and do some cool things with NMAP. (more…)
One of my favorite scenes from War Games is when David Lightman visits the two computer experts Jim and Malvin. They are discussing how David could break into the computer system he thinks belongs to a game company. Jim and Malvin tell David that this system looks like it belongs to the government and there is no way he’s getting in there. But David says, “I don’t believe that any system is totally secure.” Turns out, David was right. (more…)
This is the second part of my posts on what the 1983 move War Games can teach us about security. Here, I want to talk about the part of the movie where David Lightman (Matthew Broderick’s character) realizes that he almost started World War III and is in the process of throwing away any evidence that he hacked into NORAD. At that moment, the NORAD supercomputer WOPR calls David. Later in the movie, McKittrick (Dabney Coleman’s character) says it’s impossible for the WOPR to call someone. Well, he was obviously wrong, because the WOPR did call out. Fail! Which brings us to our second lesson. (more…)
I recently re-watched War Games, the 1983 movie staring Matthew Broderick and Ally Sheedy. If you haven’t seen it, stop. Go watch it. We’ll play a game of chess while we wait for you.
One of the great things about War Games is that it shows a fairly realistic depiction of a hack. At the beginning of the movie, we see David Lightman use a Wardialer to find phone numbers connected to modems. It turns out NORAD had left a phone line exposed to the outside and that allowed David Lightman to access the WOPR. Later on in the movie, one of the Sys Admins at NORAD said, “The phone company screwed up! They exposed a phone line.” This leads us to our first lesson. (more…)