HP Racist Webcam - Facial Recognition Far From Perfect

On the 10th of December a tongue-in-cheek demo of a failure of a HP webcam was published on YouTube. The video shows the failure of a software which is designed to recognize the speakers face and react so it is always centered on the face.

The failure is that the software does not recognize a black persons face, while it clearly identifies the white persons face.

In the meantime several other videos appeared that further analyze this situation. It appears that a person with very dark skin is not recognized unless there are perfect lighting conditions, since the camera cannot distinguish between the facial features.

This only adds oil to the fire on the issue of the facial recognition in biometrics IDs. It is now proven that facial recognition can fail miserably on a nice chunk of the world population.

Does this mean that black people should not use biometric ID's. What do you think?

Related posts
A Simplified Analysis - Can you Forge a Biometric ID?

Hacking Rapidshare Premium Access at Your Own Risk

A lot of people on the internet have become frustrated by the rapidshare free limitations, and wished that they have a premium account. Well, you actually can have such an account, but it may come at an unexpected cost. Just use a rapidshare premium link generator service.

One of those 'services' is Rapid Premium. To log in just use the public/public credential and go to the download section. In the text box paste the URL of the public access rapidshare link to the file you wish to download. Rapid Premium will use the stolen credentials and create an URL for you that will use a 'borrowed' Rapidshare Premium account.

As a simple test, I logged on to the service from an isolated virtual machine, and downloaded a small text file. The test was performed with a our own file to limit possible malicious code from rapidshare. The file got downloaded faster, and the MD5 hash wasn't changed - so no intrusion from Rapid Premium on thisone.

  • Is it useful? Probably yes.There are a lot of situations when you need a fast download, or the free download slots on rapidshare are full just when you need something.
  • Is it legal? Most probably not. Just as a lot of these services do, this one relies on stolen rapidshare credentials. But it's a bit safer then just obtaining such a credential from black hat forums or IRC channels, since you can always claim plausible deniability.
  • Is it safe? Most Most probably not. Always remember that there is no such thing as free lunch. Services like Rapid Premium are excellent locations for all kinds of hacking attempts at the visitors - browser vulnerabilities, XSS, CSRF or anything else. So before we thinking about 'hacking' rapidshare, just consider is it really that important it really is to get the data a bit earlier

Talkback and comments are most welcome

Related Posts
Ratproxy - Google Web Security Assessment Tool
How To - Malicious Web SIte Analysis Environment

DECAF - Counter Forensics Tool That Must Grow

After the leak of Microsoft COFFEE into the 'wild' a tool emerges that will supposedly make life very difficult for a forensic investigator using COFFEE.

The tool is titled DECAF and is freely available, although not open source.

The tool does not to be installed, and when configured in 'LockDown Mode' offers a set of Counter-Forensics functions upon detecting a COFFEE process running on the computer. The following options Counter-Forensics functions are available:

  • Contaminate MAC Addresses - Modify MAC addresses of network adapters to possibly throw investigators off course in the investigation
  • Kill Processes - Eliminates
  • Shutdown Computer - Self evident if possible evidence are in memory
  • Disable network adapters - most forensic tools send their evidence onto a trusted network share - this will stop all external communication
  • Disable USB ports - the basic blockade step to prevent COFFEE from working properly
  • Disable Floppy drive - should you use floppy for evidence collection or COFFEE execution
  • Disable CD-ROM - Same as USB and Floppy
  • Disable Serial/Printer Ports - Got lost here, unless you have some specific tools or choose to print evidence this is not very useful
  • Erase Data - Basic Windows delete of folders which you know may incriminate you. Won't do much good though since it can be
  • Clear Event Viewer - Remove logs from the Event Log
  • Remove Torrent Clients - nobody wants these found, especially on their company computer
  • Clear Cache - Remove cookies, cache, and history from everywhere
Since most user's don't have COFFEE copies to test DECAF, it includes a simulator that triggers the reaction as if COFFEE process is active.

According to information from the site, future versions will have text message and email triggers so in case the computer needs to enter into lock down mode the user can do it remotely. Also there is a suggested possibility to run as a windows service.

But DECAF is far from being a magic bullet: In it's present form it has a lot of realistic issues that will prevent it from being successful. Here is my top list of issues
  1. Related to one product and it's current mechanism of operation - DECAF is designed to react to COFFEE, and is built to react to the leaked version of the COFFEE code. In the long run, Microsoft can modify the way COFFEE processes operate which may render DECAF useless. DECAF needs to expand into an automated 'evidence eraser' independent of COFFEE.
  2. Needs to be run under administrator context to be most efficient - You can't erase Event Log not change MAC address unless you are the local administrator. So usual corporate employees need to understand that their protection is limited to what their account is permitted to do.
  3. It doesn't 'live' as a service - you need to run the process for it to be active. And any forensic investigator can see the tray icon and the process in task manager. While DECAF developers announce that it will run as service, as it is now it is as visible as a zit in the middle of a teenagers nose.
  4. Fails on certain platforms - running it on Windows XP (virtual environment test) produced an error and failed the application. While this may not be the case with all WinXP, there is a probability that DECAF will fail on some computers.

Talkback and comments are most welcome

Related posts
New Helix3 Forensic CD - Welcome
Digital Forensics Framework - A Perspective Forensics Tool
Tutorial - Computer Forensics Process for Begginners
Tutorial - Computer Forensics Evidence Collection
Scalpel - File Carving from Partially Wiped Evidence Disk

DefendTheApp - An OWASP AppSensor Project

DefendTheApp.com is now live. This site provides a fully functioning demonstration application that has implemented an AppSensor detection and response capability. The site also provides easy links to all relevant AppSensor information.

Not familiar with AppSensor? The basic idea is this; currently applications use a variety of secure development techniques to prevent an attacker from being able to break into the application. Secure development is great, however, we can't just stop there.

Consider the defensive strategies used by physical banks, prisons, federal buildings, etc. We do use security controls to prevent attacks (locked doors, ID card to enter) , however, we also use a variety of methods to monitor and detect attackers before they have succeeded in their devious intents (cameras, guards, motion sensors, alarms). And in the real world, we put most of our faith in the ability to detect and catch a criminal, not in the ability to design a system that can withstand a relentless and unrestricted series of attacks.

This is the idea of AppSensor. Implement detection points within the application to discover a malicious user that is probing for vulnerabilities. Once the user is detected and a threshold of malicious activity is reached, report the user as an attacker and lock that user out of the application. If you can detect attackers and lock them out before the attacker finds a vulnerability, then you've significantly enhanced the security of your application.

This is a guest post by Michael Coates, a senior application security consultant with extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers world-wide.

The original text is published on ...Application Security...

Talkback and comments are most welcome

Related posts
OWASP Publishes Top 10 Web App Security Risks for 2010
Creating Your Own Web Server
Web Site that is not Easy to hack - Part 2 HOWTO
HTTPS Data Exposure - GET vs POST

A Simplified Analysis - Can you Forge a Biometric ID?

Security of biometric ID's like biometric passports is a very frequent topic of discussion and we all know there are issues. But most of those issues are related to encryption, materials and generally anything that requires a lot of technical knowledge.
Here is an example of the possibility to create a fake Biometric ID with very little technical knowledge. In order to understand this possibility, we need to discuss the 2 biometric elements within the ID:

1. Facial information
Each biometric ID contains a very clear and accurate photo of the owner of the ID. And facial recognition is used in a lot of systems, most frequently in organizations which require non-intrusive identification - like casinos and some border controls. So facial recognition systems are quite common and commercially available.

But facial recognition has an inherent weakness - it cannot be calibrated to 100% accuracy. This is simply because some features of your face can actually change at a daily basis: facial bloating, skin discoloration, acne, minor injuries. So the facial recognition system needs to be flexible - most facial recognition systems are set-up to match at around 70-80%

2. Fingerprints
Fingerprints are also stored in the biometric ID, with most ID's storing only one or two fingerprint - the index finger of the right hand or the fingerprints of both index fingers. It is common knowledge that fingerprint readers can be easily fooled, with very simple and available methods. One simply lifts the fingerprints and creates a copy using photoshop, laser printer and gelatin or wood glue. Here is an example of a simple fingerprint lifting method - the first step in recreating a fingerprint.
So far, these two elements may be fooled, but how can we create a fake biometric ID with such information?

Technically, it is very very difficult to modify a manufactured biometric ID into a fake one, which was the initial idea.
But what if you can alter the input data into the process of creating a new legal biometric ID? The process is quite simple:

  1. The seller of fake ID must create the fake ID for a person that has similar facial features to him/her, so the facial recognition software matches the expected 70-80% similarity. To match a seller and a buyer with sufficient similarity, you can use a public web site http://celebrity.myheritage.com/FP/Company/try-face-recognition.php
  2. The seller will prepare fake fingerprint covers of the buyer and attach them to his/hers fingers.
  3. The seller simply enters the appropriate authority and applies for the biometric ID. He/she gets photographed and the fingerprints get scanned on a scanner that is in front of a bulletproof glass (to isolate from the flu). These authorities are staffed by overworked people and there is usually a lot of commotion, so very few people will ever notice your fake fingerprint covers. Oh, and the application software rarely compares the previous fingerprints with the currently scanned ones
  4. If all goes well, the seller will receive an original ID which contains a face of the seller as well as his/her personal information, but the fingerprints are of another person - the buyer. The buyer can now take that ID and actually pass most control checks.
  5. For all legal purposes such an ID is very much a fake, and there is no way to prove that the seller faked his/her information - even if the fake fingerprints are found on file, how will you prove that the seller faked his fingerprints?
Easy, isn't it?
What's your opinion? Can this method actually work?

Related posts

Privacy Ignorance - Was Eric Schmidt thinking?

Eric Schmidt said in a CNBC special recently that “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place!”

And yet the reaction to this flagrant ignorance of basic privacy is met with mixed reactions. Some are criticizing, others are agreeing. Garett Rogers at ZDnet is even brown-nosing at Google's CEO for some reason with a statement I couldn't agree with him more!

It would have been easy to just start ranting about the generic ignorance of Eric Schmidt for anything private. But i wanted to see what will the google engine do with something that I don't want anyone to know, and yet i could't prevent it from happening - ILLNESS

I created a series of e-mails which i exchanged between two gmail accounts. It took 3 e-mails for gmail to suddenly start offering me anti-allergy bracelets, and refer me to doctors in their adsense. Now, google engines know that I have an allergy. Here are the transcripts - word for word of those e-mails

I appologize for not being on time, but i had to visit a doctor
Apparently, i have developed some form of allergy. I will need to be treated with anti-allergy drugs for some time.

They are still investigating which medicine is the best

See you around
I am very sorry about your situation. I have had some rash issues myself some time ago, and I got prescribed Singulair and Alavert. Maybe you should mention those to your doctor as possibilities

Be safe
Alavert is for allergies. So i'll be mentioning it to my doctor


All it takes is 3 very short texts for google engines know that you are ill. And those may be e-mails you exchanged with your physician. It is quite obvious that the automated engines use this information - i got relevant commercials.

So I would ask Mr Schmidt:
  • Nobody chooses to be ill, and information about health is exchanged via e-mail, so now Google knows it. So, please answer - what Google won't do with this information?
And I will ask Mr Brin and Mr Page:
  • Do you support that the CEO of your company stated that it's our fault that Google knows something that is very private and confidential?

Talkback and comments are most welcome

Related posts
No Privacy - Saw You Cheating on Image Search
Google Voice - No Privacy Remains?

Vulnerability Management from the Cloud - Overview of the services

Vulnerability and Compliance Management as Software as a Service (SaaS) are springing up like mushrooms. The SaaS model enabled companies which focused on vulnerability management to extend their reach, and offer the services to more and more potential clients.
Most companies in this market name their SaaS service the "on-demand solutions for security risk and compliance management".

The players
Here is the list of potential vendors that you should look at, in no particular order:

Bear in mind that this list does not include all relevant vendors, so you may want to extend your search. But it's a representative sample that will help you to review what is the offering of the competition.

The offering
The services are usually delivered as a dedicated Black Box appliances that are placed within your infrastructure. They perform the scanning or IPS/IDS, but the results are then sent to the 'cloud' where reports are generated. Most companies are offering the usual set of services:
  • Vulnerability Scanning - the basic offer of vulnerability scanning, with more or less success but definitely comparable to your local vulnerability scanner.
  • PCI DSS Scanning - Payment Card Industry Data Security Standard (PCI DSS) was the important 'differentiators' of the SaaS vulnerability scanning. PCI DSS requires for a scan that is certified by the PCI group and performed by a certified company. So the SaaS Vulnerability Management companies got certified and created the PCI DSS scans. But for all everyday intents and purposes, your local vulnerability scanners have the same PCI DSS scans - all you need is to commission the scan 4 times a year for the PCI DSS audit
  • Managed Intrusion Detection/Prevention - much like the vulnerability scanning, this is more or less what your local IPS/IDS does, only the results go out and get analyzed and compared in the cloud.
  • Reporting and Fix Tracking - this element may be one of the differentiators, but local vulnerability scanners are catching up. In a SaaS solution, all results are kept as reports, and you can easily create comparative baseline reports, or even assign tasks to persons for fixing some vulnerabilities. The system will automatically send reminder e-mails to those persons and re-scan after the configured deadline for fixing.

Vulnerability Management - Local or Managed?
In conclusion, both the local and the managed solutions are living quite well at the moment. And function wise they are comparable. So which one to go for?
  • The local solution can easily be reconfigured and directed at different targets. It us very flexible and because it is usually installed on a laptop, very portable. It is an excellent choice for anyone that needs to perform scans from different positions in the corporate network. This would include IT security teams, penetration testers, external auditors and consultants .
  • The managed (SaaS) solution is stationary, fixed and quite cumbersome to move around. It usually lives in the data center as a black box probe, or in the manager service provider as an external scan. It can be configured with the required targets, scheduled to run at regular intervals and perform regular controls. It is a good choice for internal auditors, security officers and compliance officers - no need for maintenance, it is all handled by the managed service provider.
  • Calculate the optimal price/performance - the SaaS versions are usually as yearly subscription charged per number of IP addresses to scan. This price may be quite significant, and you are fixed to the block of IP addresses. On the other hand, the local scanners require a hardware to run on, and you still pay a subscription for the updates of vulnerabilities. So you need to calculate your optimal cost based on your requirements and expectations.

Talkback and comments are most welcome

Related posts
Nessus vs Retina - Vulnerability Scanning Tools Evaluation
NeXpose Community Edition - Our First Look
Tutorial - Using Ratproxy for Web Site Vulnerability Analysis

Summary of IP Spoofing

If you are using any sort of IP based filtering within your application, then you need to evaluate how IP spoofing attacks affect your security controls. In order to make a fair evaluation you will need a basic understanding of IP spoofing attacks.

Let's look at two different scenarios.

Scenario #1 Attacker wants to spoof an arbitrary IP address and the attacker is not on the same subnet (broadcast domain) as the targeted IP address. Example: attacker is and wishing to spoof

Scenario #2 Attacker wants to spoof an IP address of someone on his own subnet (broadcast domain). Example: attacker is and wishing to spoof (assuming subnet of

Scenario #1

The attacker can create forged TCP packets and modifies the source IP address to be any value. One tool that can do this is HPING2.

What can you do:

  • Send an initial TCP packet with any source IP address
  • Send a series of UDP packets with any source IP address
  • Send a series of unrelated TCP packets from the same or varying IP addresses
What can't you do:
  • Receive any responses to your forged messages. The responses, if sent, would go to the forged IP address.
  • Send a string of related TCP packets (e.g. reconstruct an actual TCP exchange). This is because you can't complete the handshake or guess the necessary information to continue the TCP connection.
Scenario #2

The attacker can perform a variety of attacks to forge or take-over the IP address on the same subnet.

Attack Options:
  • Simplest - Statically define your IP address to the target IP address
  • Switch your MAC address to the MAC address of the current NIC for the target IP address and attempt to assume control of IP
  • Execute man in the middle attack via arp spoofing (see tool Cain & Abel) and then gain control of user's unencrypted transmissions. You could likely modify or redirect traffic to accomplish your original spoofing goal.
What can you do:
  • Assume control of the IP address. Note: This means you can send/receive valid data using the targeted IP address as your own. It does not grant you access to existing sessions that the user had with any websites (because you don't have the user's session cookies).
What can't you do:
  • Intercept encrypted (e.g. SSL/TLS) communication destined for the target IP address without alerting the targeted user in some way (browser warning message for MitM invalid certificate).
Hope this is helpful. This is by no means an exhaustive list of attack techniques, but something to consider if your are using IP related controls within an application.

This is a guest post by Michael Coates, a senior application security consultant with extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers world-wide.
The original text is published on ...Application Security...

Talkback and comments are most welcome

Related posts
DHCP Security - The most overlooked service on the network
Example - Bypassing WiFi MAC Address Restriction
Obtaining a valid MAC address to bypass WiFi MAC Restriction

NeXpose Community Edition - Our First Look

Rapid7 chose to publish a free version of their NeXpose scanner. The software is available for less then a month, and still has to prove itself to the general community. We are publishing the experiences of our first look on this product. The NeXpose Community integrates with Metasploit, and the integration will be covered in the next article.

Installation The installation is simple enough - just run the installer. It asks for a username/password for the web interface, and then installs itself. There are no errors when installing on Windows 7, XP SP3 and Win2003 Server.

First run
Start up on Windows 7 was not successful. NeXpose Community just threw a lot of access denied error messages. As far as i could understand, the access denied messages are because of an attempt to modify the registry which is protected under Windows 7. Even when using Run As Administrator i got the same results.
The run was successful from the Windows2003 server installation. The first start up was extremely slow, it ran for more then 15 minutes configuring and updating itself. After that, the web interface is available for login at https://serverip:3780

First Scan
In order to scan you need to configure a Site, with target IP's within it. You can add several target IP's within the same site. The scanning options include the following scanning templates:

  • Full audit : Performs a full network audit of all systems using only safe checks, including network-based vulnerabilities, patch/hotfix checking, and application-layer auditing. Only default ports are scanned, and policy checking is disabled, making this faster than the Exhaustive scan.
  • Exhaustive : Performs an exhaustive network audit of all systems and services using only safe checks, including patch/hotfix checking, policy compliance checking, and application-layer auditing. Performing an exhaustive audit could take several hours or even days to complete, depending on the number of hosts selected.
  • Penetration test : Performs an in-depth penetration test of all systems using only safe checks. Host-discovery and network penetration options will be enabled, allowing NeXpose to dynamically discover additional systems in your network to target. In-depth patch/hotfix checking, policy compliance checking, and application-layer auditing will not be performed.
These templates and their behaviour cannot be modified in the NeXpose Community.

You can run the scan at scheduled intervals as well as manually. Once you initiate the scan, the scanning engine is very fast, and usually completes Penetration Test scan within 5-7 minutes on a fast link.

Scan Results
The scan results are presented in a very clear manner, for each site separately. The Penetration Test template on a Damn Vulnerable Linux 1.5 with active HTTP target was scanned in less then 3 minutes, and identified the following vulnerabilities
  • PHP Multiple Vulnerabilities Fixed in version 4.4.9
  • PHP Unspecified 'glob' Vulnerability
  • PHP Crafted UTF-8 Inputs Buffer Overflow
  • Apache Signals Sent to Arbitrary Processes Denial of Service
  • PHP session.save_path/error_log Values Not Checked Against open_basedir and safe_mode
  • Apache mod_imap/mod_imagemap Cross-Site Scripting Vulnerability in imagemap File Menus
  • HTTP TRACE Method Enabled
  • ICMP timestamp response
The reporting, although crippled compared to the commercial versions of NeXpose is still very good. You can schedule report generation and sending, and you can configure a baseline for each report - you get comparative results of the changes between the scans. This is very useful for automated scanning and information required by IT Auditors and Information Security Officers.

NeXpose Community is a valuable addition to the free tools that each security professional can use in his/hers work. It is very useful in terms of automated audits, and very interesting that it integrates with the Metasploit Exploit Framework. It still has glitches and issues on some platforms, but all tools are work in progress, so for the time being just add it to your toolset, don't replace any tools with it.

Talkback and comments are most welcome

Related posts
Possible Emerging Player In InfoSec Market?
Nessus vs Retina - Vulnerability Scanning Tools Evaluation
Tutorial - Using Ratproxy for Web Site Vulnerability Analysis
WMI Scanning - Excellent Security Tool

Corporate Guest WLAN - The best place for Eavesdropping to Interesting Traffic

When pen-testing a corporation, always look for the Guest WLAN. If there is one and you manage to get on it, you are in luck!
Corporate Guest WLANs are a great place to get a lot of interesting and possibly confidential information without much effort. And this is simply because there are a lot of corporate laptops on the same WLAN.

Ofcourse, you'll discuss that the corporate devices have wired access to the internet, which is much more reliable and faster. But also, the wired infrastructure is fully controlled by IT - with web filters, content filters etc. So on the guest WLAN you can easily find the following high-profile targets related to the corporation:

  1. corporate laptop holders - usually employees higher in the hierarchy who just got bored from the restrictions of the corporate Internet filters can easily turn on their wi-fi and check the private e-mail, or just download something.
  2. corporate guests - most visitors to corporations have WLAN enabled devices, ranging from mobile phones/pda, over netbooks to full blown laptops
  3. external contractors - a lot of corporations will isolate external contractors to the guest WLAN for internet access.

The following diagram is an example of hunting for interesting targets in the corporate WLAN

The diagram clearly depicts the high concentration of possible high profile targets - marked in red color.

One can always make the argument that the same attack can be made within a Mall, or even in the home networks of those interesting targets. This argument is completely true, but in a Mall your high profile targets are blended in the multitude of the students, casual freebie surfers and even the mall store clerks with their WLAN devices.

And the home environment is even more difficult, because the high profile targets are dispersed all over the city, and you may not know where they reside. So, sniffing the networks one specific high profile target will bring a lot of costs to the attacker.

The following diagram is an example of the difficulties in sniffing for interesting targets in the home or public places WLAN

So, for my money, I'll always prefer to sniff for traffic in the corporate guest WLAN

Talkback and comments are most welcome

Related posts
5 Rules to Home Wi-Fi Security
Example - Bypassing WiFi MAC Address Restriction
Obtaining a valid MAC address to bypass WiFi MAC Restriction
DHCP Security - The most overlooked service on the network

5 Ways to fail a Social Engineering Pen-Test

A lot of penetration testing assignments include the famed Social Engineering test. When reading about it, or looking the social engineering scams on a TV series it looks very straightforward - you come in all nice and smooth-talking and every door opens for you.

The harsh reality is that a lot of social engineering penetration tests fail, which adds up to increased costs and a failed engagement for the consultant. In the extreme situation, you may spend some hours in the offices of corporate security or even the police, until the pen-test authorizations are verified.

Here are the most common ways to fail a Social Engineering Penetration Test

  1. Come unprepared - Just walking into a company and asking for confidential documents sounds stupid. But trying to perform a social engineering attack on your first visit is even more stupid. Until you do proper amount of recon and research you have no idea what the company relationships are, who is in charge of what and what exceptions or processes may be used to succeed in a social engineering attack.
  2. Just Wing It - Wake up call- you are not Frank Abagnale from "Catch Me if You Can" and you are not Danny Blue from the TV series "Hustle". During a social engineering attack you need to think on your feet and being creative always counts. But not preparing a background story supported by a nice set of evidence is a great way to fail a social engineering pen-test
  3. Be outright aggressive or arrogant - Nobody likes people who are bossy and arrogant. While having an air of authority helps during a social engineering attack, you don't want to start from position of authority with an aggressive approach. That is the best way to get people to close up in the cocoon of procedures and regulations, or they'll simply call your bluff - in both ways you fail. Instead, you need to be friendly, courteous and polite. Maintain your air of authority, but never overuse it.
  4. Choose the wrong person for the job - Social engineering is achieved through appealing to the people's urge to help others. But certain profiles of targets tend to be more helpful to different persons. For instance, a target group of young men will be very helpful to a nice looking woman of their approximate age or just a bit older - to maintain the advantage of implied authority through the age difference. But this same woman is considered a threat by target groups of young women, so for them you need to choose a different attacker. The same principle applies to phone based social engineering attacks.
  5. Dress for failure - In social engineering, always remember that clothes make the man. If you perform a social engineering attack on a bank, you don't want to appear in jeans and sneakers. But if you are performing a social engineering on a software development company, you may actually miss by a mile by wearing suit and tie. Go back to point 1 about preparation :)

Have any more ways to fail, or good examples? Share in the comments!

Related posts
3 Things no book about hacking will ever tell you
5 biggest mistakes of information security
3 rules to keep attention to detail in Software Development
5 Rules to Home Wi-Fi Security

Possible Emerging Player In InfoSec Market?

After the Rapid7 acquisition of Metasploit, things are beginning to shift in the Vulnerability Scanning and Penetration Testing market. The basic trend is one of merging the small independent players into larger organizations with a product portfolio covering a wider area.

Rapid7 published the NeXpose Community edition, which pairs with Metasploit. At this moment it still has some early adoption issues - like problems with working on Windows 7, but these will be resolved.

The NeXpose Community may prove to be a strong adversary to Nessus in the free tools market, and by presenting the possibilities of NeXpose to a wider community it will enter the minds of more potential commercial users.

But apparently the competition is not sleeping either. For around a year, there is a joint discount offer on a set of products by Tenable Networks Security, Immunity Inc and DSquare Security. This set creates a great overall product:

  1. Nessus being the vulnerability scanner
  2. Immunity CANVAS being one of the commercial leaders in penetration testing frameworks and
  3. DSquare enriching the set with additional exploit packs for CANVAS
While this joint offer is not new, with the current moves from Rapid7, it may be quite possible for the other players to join forces for a stronger approach to the market.

What do you think? Is the merger of Tenable and Immunity possible? Will it provide a better product and will the users benefit?

Related posts
Nessus vs Retina - Vulnerability Scanning Tools Evaluation
Tutorial - Using Ratproxy for Web Site Vulnerability Analysis

Tutorial - Alternate Data Streams: The Forgotten Art of Information Hiding

Alternate Data Streams is a feature of the NTFS filesystem. In essence they were created to provide compatibility with HFS, or the old Macintosh Hierarchical File System. The way that the Macintosh's file system works is that they will use both data and resource forks to store their contents. The data fork is for the contents of the document while the resource fork is to identify file type and other pertinent details.

How do you create an ADS? Wonderfully easy: All you need to do is have the two files, and then send the file to be hidden to the ADS of the host file with a simple type command:

type file_to_be_hidden> host_file:name_of_file_to_be_hidden

The most frequent use of ADS for malicious purposes is to conceal the executable of a trojan/rootkit as an Alternate Data Stream (ADS) to a perfectly safe file. For instance, once an attacker penetrates a Windows system, he can easily hide the malicious payload for further access into an executable which is fairly frequently used - like Calculator.

Alternate Data Streams may also be interesting as a mechanism to hide and transport information out of an organization:
Once you include an ADS into a file, there is no visible change in filesize of the host file, only the modified date is changed. This makes it quite difficult to detect the Alternate Streamed file. Also, the ADS file does not change the MD5 hash of the original file, which may prevent systems which control file modification through hashing from detecting the hidden file. Here is an example:

C:\Users\user\Desktop>md5sum test.txt
d41d8cd98f00b204e9800998ecf8427e *test.txt

C:\Users\user\Desktop>type image.jpg>test.txt:image.jpg

C:\Users\user\Desktop>md5sum test.txt
d41d8cd98f00b204e9800998ecf8427e *test.txt

One would think that this method of information hiding is great to transfer any amount of information with an inconspicuous carrier file being sent over a network. But there is a catch: most data carriers will ignore the Alternate Data Stream, and here is the summary list:
  • Zip, RAR or ARJ will simply compress the host file and disregard the ADS
  • MIME and Base64 encoding (e-mail) will ignore the ADS entirely
  • FAT32 (mostly used on USB flash drives) will loose the ADS since it's not supported.
  • Steganography programs will read the bytes of the host file and stop at the EOF
  • FTP and HTTP transfer ignores ADS entirely
  • Recording the
But all is not lost. There are still ways to transfer data with ADS:
  • Transferring the host file over SMB network to an NTFS target retains the ADS hidden file
  • Copying the host file to an NTFS file system transfers the ADS hidden file
So the information theft scenario with ADS is mostly available to employees or trusted persons:
  1. The malicious user will create a legal host file and ADS a file with information to be stolen.
  2. He will convince the manager to take the legal file home to work on over the weekend.
  3. Upon the manager's request, even if USB drives are restricted, IT will copy the file over SMB and onto the employee's USB - which is sparkling clean and conveniently formatted with NTFS.
  4. All logs of the transfer will contain the transfer of the original approved file to the USB

What will you do in such a scenario? Talkback is most welcome!

Related posts
Be Aware of Security Risks of USB Flash Drives
5 biggest mistakes of information security

Interview with GenApple founder

After the first article on the GenApple site - which promotes itself as the first information brokerage, Shortinfosec secured an interview with the founder of GenApple - Mr. Mark Hanson.

In a summary, the service will need polishing, and GenApple will need to tweak procedures and operating rules as they go along.

There may be security and privacy concerns - we are sure that the law enforcement agencies will be very interested to peek into the information being traded, as well as who is trading it. Also, on the other side of the coin - the information brokerage may be a place where illegal information is traded, so GenApple will have to be very careful to walk the thin line between trading of illegal material and the pressure of law enforcement to know everything.

Read the full interview with Mark Hanson - GenApple's founder. For Shortinfosec, the interview was done by Bozidar Spirovski

Bozidar: Let's start with the person behind the idea - As I saw from your linkedin profile, you are just 4 years out of university. Is this your first venture?
Mark John Hanson: Yes. This is my first start-up venture. But I had the idea for this site about a year and a half ago, and have been developing it since then. We're very excited about it: The team has been working very hard and we hope to deliver a quality service that people can use, enjoy and learn.

Bozidar: Could you describe the concept a bit more, of course in layman's terms - at first glance it sounds like e-bay but for bits and bytes
Mark John Hanson: Sure: what we aspire to be is a place where people simply can buy and sell information and knowledge. At first glance, why would people pay for information or knowledge? The Internet is filled with free information, from search engines, to answer portals, to e-learning portals. However, something is missing - every person throughout their years acquire a lot of knowledge, some of it has little to no value. But every person has knowledge that they possess that another person may want---in real life to gain this knowledge there might have to be a personal relation. But with our site; we seek to create a marketplace where people for the first time can sell knowledge and information that another party may want and pay for.

Bozidar: So what you are promoting is compensation for knowledge that someone has and others require?
Mark John Hanson: exactly---right now there's lots of knowledge that is not being disclosed on the Internet because people feel it has value. For instance, there are things you are willing to blog about for free---you write about security issues. However, you're a businessman and there are many other things that you have acquired over the course of your life that you know that has real value. We seek a place where you can sell such knowledge, both privately, if you want and securely.
Yes there are many answer site, forums, etc and for many many questions, a free answer forum is good enough. However, we're not just an answer forum, we hope to be a place where a broad amount of knowledge is shared

Bozidar: You touch an excellent subject with the forums - There are commercial forums that offer some form of expert knowledge when you subscribe. These are usually quite technical and with specific target groups in mind. What is your target group?
Mark John Hanson: at the end---we hope to be the destination for any or all type of knowledge; however, starting out, we'll focus on three verticals and expand from there
  • (1) stock tips and financial knowledge, we want to have a monetary focus when we start so people who have knowledge or advice about investment strategies can share. Because of US securities regulation, we'll active monitor these listings to make sure that inside information is not disclosed or sold
  • (2) news freelance --- because of the nature of journalism in the US there are many reporters who are currently unemployed or underemployed. What we want is for people who are journalists, citizen journalists and so on to have a place where they can sell news stories that they'll write and the news organ
  • (3) celebrity gossip and information---we wanted to have a fun and interesting vertical so people will check our site out and follow what is being disclosed on our launch.

Bozidar: The exchange of information will go through GenApple. I'll try to summarize the process as I understood it:
  1. The seller offers a commodity (information) on the exchange
  2. The seller deposits the commodity in the information vault
  3. The buyer and seller agree on a price and transfer funds
  4. The buyer pulls the commodity out of the vault
  5. The buyer receives the funds after a cool down period for disputes

Mark John Hanson: Exactly: there's obviously more detail and I'll be happy to provide you with our animation intro that explains this, users can also view our "how it works" area. You are concerned with security, and this is utterly important for a business like this. Thus our website has been developed that each information vault is protected from hackers and people with bad intent. We are certified by McAfee---we also use a SSL certificate from Verisign, so immediately when people are on our site, all transactions, from a simple search are secure.
We feel that as an "information brokerage" we should treat our customers as if they're dealing with a bank or financial institution---information and knowledge is valuable. Moreover, when people sell information, they want to keep their identity private because of the nature of transaction---to us privacy is a form of security. We want people to know that if they use this site, their identity is kept safe and will not be disclose to anyone, period.

: You use a very strong statement there "protected from hackers". In the world in which I live, something hasn't been hacked only because a hacker still hasn't found the vulnerability to exploit or the interest in exploiting it. So for argument's sake, let's say that a hacker manages to break in and he/she/they steal information or redirect funds. Do you accept any responsibility for the damages caused to the parties involved?
Mark John Hanson: I do have confidence in our site's security and McAfee secure---we will do our utmost to protect the information that people have disclosed from us---as to your question, our user agreement discloses precisely what responsibilities each party undertakes.
Bozidar: So on this particular site it is very wise to read the agreement, not just click the I Agree button?
Mark John Hanson: What we want is for every use to read the user agreement and privacy policy before they sign up---we have links to these agreements in the registration page. The reason for this is that the user knows what to expect from us and also what we expect from every user. This marketplace depends on GenApple to create a safe, easy, secure place to do a transaction.

Bozidar: In your first target group vertical you mention US regulation. On my attempt to register I saw that the registration address can only be a US address. Does this mean that every user of GenApple needs to be under US jurisdiction?
Mark John Hanson: For right now we're limiting it to the United States; however probably very soon we'll open it up to many different countries---this is party based on how we pay - we have two payment methods to pay sellers (1) PayPal and (2) a bank check mailed directly to a user's home. PayPal is not available to every country and a bank check is limited to North America.

Bozidar: Not quite - google mails checks all over the planet
Mark John Hanson: Google as a business does this---I'm not aware of a payment service that they have; however we prefer to use a Bank so our users are confident that the check they receive will be cashed. In the future---we could mail checks to users around the globe---if we reach that point, we'll be happy to provide that service

Bozidar: Let's talk a bit about the actual commodity - information what type of physical information can be stored in the data vault - text files, excel spreadsheets, images, encrypted files etc..is there a limitation? and of course, to what size?
Mark John Hanson: No limitation as to the type of files---we are looking at limitation right now---we also provide a textual entry area for people to disclose their information if it's just a short sentence. So we're still trying to set a balance and when we launch, we'll note file size limitation within the information vault.

Bozidar: Well, since basically the actual information can be any type of file, you may be faced with a very unpleasant situation - the buyer agrees with the seller, transfers the funds and receives nothing useful so he disputes - or a far worse scenario: the buyer got what he requested, but he/she still wants to cheat and disputes nevertheless. How are you planning on coping with 'fraudsters' on both the selling and the buying side
Mark John Hanson: Very good point---hence our business model: as we note up front, we are an "information brokerage" --- we are dealing with the intangible unlike eBay or many site that sell tangible products---it's much harder to police fraud when dealing with the intangible. The buyer wants to know that he or she is getting what he or she is paying for and the seller want to know they're getting paid. Hence as a brokerage, we assist in every transaction, as the user agreement says, we are not a part of a transaction, but we do the following:
  • (1) in every listing, potential buyers can ask the seller questions directly before they buy
  • 2) the buyer can look at the seller's feedback rating and take that into consideration--with more positive feedback being good
  • (3) besides the summary, there is the veracity statement, which is where the seller can state how he or she came to acquire such information or knowledge
Mark John Hanson: So up front, we want to give the buyer as many opportunities as possible to make an informed purchase. However, we go to your point--what if the seller's information is bad or the buyer unfairly disputes a transaction, hence our dispute system, which is noted in our user agreement---we take a look at the positions of the buyer and seller---and we make the final decision for them. This is a high standard, which we use to discourage buyer who unfairly file disputes. We want to protect our buyer's as much as possible, and if it seems that fraud exists, then we'll issue a full refund. Each dispute is a case by case basis---but each party agrees not to appeal GenApple's final decision.

Bozidar: A bit more on the content of information - if it is encrypted, then you may be facilitating transactions involving exchange of illegal information: like access passwords, or industrial secrets, plans to make bombs.
Mark John Hanson: yes---all valid points---this goes into our privacy policy, You certainly know the concept of a safety deposit box. We treat every information vault as a safety deposit box. If we as a service look into those vaults, then seller's may feel insecure from the get go, when people deposit into a safety deposit box, they want privacy. To combat possible illegal activities our best courage of action is thus to be diligent---any listing that we see that's suspicious (sp) will be deleted. We have on every listing page a report listing function, which any user can immediately file a report if such listing looks bad. If there is a dispute or an illegal transaction, as per the user agreement, we'll comply with governmental authorities

Bozidar: So I'll speak the lingering question on every body's mind on your launch: Will the law enforcement and intelligence agencies get full access to all information vaults? I know that your policy states that you'll supply law enforcement with information in case of investigation; But what about the broad view?
Mark John Hanson: What we're trying to do a strike a balance, which could change as the site matures. As per our user agreement, all vault are secure from us and the public unless there is a dispute or request from a law enforcement agency. We will not under any circumstance turn over private information or information vault unless forced to do so---we can only promise to take each instance as a case, and that's all I can say at this point that's not already disclosed in our user agreement, but you have a balance, seller's must be confident in a privacy transaction.

Bozidar: You gave a good argument that you as an information broker actually cannot know what all transactions are - thus you are not responsible for any wrongdoing of the users. But still, the similar argument applied to Napster and the Pirate Bay - and yet, they got sued for facilitating illegal exchange of information.
Mark John Hanson: We'll in our user agreement, if someone does do something illegal, they are liable for our defence costs. But you are correct, there might be people who do illegal things. We'll do our very best to create the best marketplace possible.

Bozidar: Are you actually worried that it may come to GenApple being sued for situations similar to Pirate Bay? They did claim plausible deniability but are now in prison.
Mark John Hanson: All I can say is that we drafted our user agreement with your question(s) in mind, but I cannot speculate what'll happen in the future---no one knows

Bozidar: Mark, i want to thank you for all the information we got on this interview. One last question - what does GenApple stand for?
Mark John Hanson: Yes--hehe--every Internet company needs a name that's short and memorable--the root "Apple" comes from the fruit of the tree of knowledge of good and evil. I was looking for adjectives because obviously Apple is taken. I did find the "gen" is British slang for information, hence the word genapple.

Do you like this product? What security concerns might you have on GenApple? Please add your 2 cents in the comments.

Related posts
GenApple - First Glance at the First Information Brokerage

Tutorial - Breaking Weak Encryption With Excel

The importance of a good encryption algorithm is essential to functional security. And yet there are a lot of misguided initiatives to use an 'internal', 'trusted' and 'secret' algorithm. Obscurity IS NOT Security and an algorithm that hasn't passed external scrutiny may be fundamentally flawed. If you go down that road you may even find your encryptions hacked by non-programmers.

Here is a tutorial on how easy it is to crack an encryption that is not properly designed.
For this tutorial, We are going to work with a really simple and weak algorithm - XECryption.

Here is a narrative summary of the algorithm:

  • The password the user chose is first used to produce a number by adding the ASCII value of every character in the password to produce one large total. This number is used as the encryption key.
  • The message is encrypted by adding the password key is added to the ASCII value of each letter in the message, then it is divided by three. A random number between -10 and 10 is added to this new number. This becomes the first number in the series, and is repeated to produce the second number. The third number is the difference between the first two final numbers and the original ASCII value plus the password key. At the end, every letter in the encrypted message takes on the following format: ".193.144.164".
  • When decrypting, the password key is found in the same way that it's encrypted. Each triplet is added together, and then the password key is subtracted. This is the ASCII value of the letter.

So in summary, an XECryption encrypted message represents each letter in number triplets. Here is a sample XECryption encrypted message for your exercise.

Most readers have already noticed that there are a lot of flaws to the algorithm. Here are some which we will use:
  1. There are multiple decryption passwords - there are a lot of combinations of characters that will produce the same number which is used to create the encrypted message. In essence
  2. Also,the encryption number/key is contained within the message.
  3. It is extremely easy to bruteforce this algorithm.
Here is how to approach this crack, and you won't even need to program anything:
  1. First, we need to remember that each total of the triplets contains the encryption number, and since it needs to be subtracted from the total, the resulting number needs to be positive. So your password is contained even in the lowest total of any triplet in the message.
  2. Once you find the lowest triplet total, you can just attempt all numbers starting from the lowest total down to zero as a possible encryption number - in essence, just bruteforce the text.
  3. If you use a program to do the bruteforcing, you need to program a logic which will be able to identify that the bruteforced result is the real solution. This is usually done by counting how many of the bruteforce calculated ASCII codes are codes for letters, numbers and punctuation marks. If the percentage is large, it is a possible solution.
  4. If you use Excel, the pattern matching will be done by your brain - a human can easily identify words and discover the solution.
  5. To utilize this approach, simply place the encrypted text into an excel sheet, and create sums of every three numbers. These numbers are the triplet totals that need to be decrypted.
  6. Place the triplet totals sequence on row 1 of a sheet, and on column 1 find the minimum total of the sequence. Starting from this minimum simply fill the rows in column 1 with every number from the minimum down to 1
  7. Then in the cells from row 2 and in all columns which have triplet total in row 1 use the following function - CHAR(Row1,ColumnX - RowX,Column1).
  8. Start reading the text in the rows and find your solution. Here is an excel file example of a decryption - the word 'hello' encrypted with a password 'hi'

Once you discover your most probable solution, just use the encryption number on the start of the row and the encrypted message on this site to check.

So, go ahead and try the described methodology - and post the identified source (author and book) of the encrypted text.
Every successful identification gets an honorable mention and a link in the followup article!

Talkback and comments are most welcome

Related posts
TrueCrypt Full Disk Encryption Review
5 rules to Protecting Information on your Laptop
Windows 7 Full Disk Encryption with Truecrypt
Tutorial - Hidden Operating System with Truecrypt
Tutorial - A Poor Man's Secure USB
Hardware Security Module for Dummies

GenApple - First Glance at the First Information Brokerage

Internet has become a transfer medium for a lot of new business models, some of which have failed and others which are thriving. In this environment, there is new service called GenApple, which boasts to be the 'first information brokerage in the world'

With a business model similar to E-bay, GenApple facilitates the selling and buying of information. A seller of information offers some information either at a fixed price or a via an auction. The difference from E-bay is that GenApple will act as an Escrow - a third impartial party trusted by both seller and buyer:

  1. GenApple will hold the offered information in a special 'vault' until the trade is concluded, and then let the buyer obtain it from the 'vault'.
  2. Similarly, GenApple will hold the payment money for the seller until the dispute period has passed, in order to facilitate refund in case of a dispute.
This new service opens a whole set of questions and possible security issues - since it deals with a commodity with different characteristics that physical objects:
  1. Information can be abstracted from physical location
  2. Information can be ideally copied many times without any loss and without any evidence that it has been copied
  3. Information can be sniffed during transfer
  4. Information can be accessed/destroyed/corrupted by a malicious attacker
  5. Information can be instrumental to performing illegal activities while never physically being part of the illegal activity
  6. The quality of information can be disputed or misunderstood
GenApple is still in beta, and is currently available for registration only for US based users - an interesting choice which may or may not have to do with US law enforcement agencies being fully capable of prosecuting users in case of trading of confidential information.

Still, the Pandora's box of trading in information is open, and the security community needs to follow the development of this and other similar services with great attention.

GenApple has scheduled it's launch for Monday - 30Th of November 2009. Just before the scheduled launch - on Sunday I'll be talking to Mark Hanson - the founder and CEO of GenApple.

So while GenApple launches, tune in to Shortinfosec for the full transcript of the interview which will be focusing on fraud, encryption and external security!

Talkback and comments are most welcome

Related posts
Interview with GenApple founder
Whisperbot - No thanks, I'll use e-mail
No Privacy - Saw You Cheating on Image Search

How To - Malicious Web SIte Analysis Environment

There are numerous sites and web-server side scripts which perform malicious attacks or simply unpleasant problems to their visitors.

The latest one that gained prominence, is the although not really causing much harm is the "Want 2 C Something Hot?". It is an elegant CSRF (Cross-site request forgery) which just shares itself on the facebook profile of the visitor.

The careful visitor will simply steer away from such links. The careful but curious visitor would want to see what such code does, but in a safe environment. So, here is a sample environment for a safe preliminary analysis of a malicious web site:

  1. The analysis computer - a Cleanly installed VMware Windows XP SP3 guest OS. The guest OS should be configured with a bridged networking. Configure your host OS firewall to block all communication from the guest OS IP address to the host OS IP address.
  2. The protective shielding - The guest OS should have a latest updated antivirus software. We recommend AVIRA, with active heuristics scanning. Also, include an anti-malware software, like Spybot - Search and Destroy.
  3. The analysis tools - Now is the time to fire up your arsenal:
    • Wireshark/Ethereal - all traffic should be captured with a network sniffer, so if the application level tools miss something, you can always revert to the packet capture. Set the sniffer to automatic saving of packet capture to disk, and start the sniffer before you start surfing!
    • Latest Firefox with Firebug Add-In - all request/reply communication will be tracked through the Firebug. This is the application tool that will help you start dissecting the communication to and from the browser, and what is actually received.
The results of a the "Want 2 C something hot?" through firebug is seen on the next image. From there you can start dissecting each request and reply to fully understand the sequence of events.

Please note that the results are not magical, and that by only using this toolset you won't become an instant securuty analyst or a hacker. This is just a safe environment for analysis of web sites.

Talkback and comments are most welcome

Related posts
Google's Ratproxy Web Security Tool for Windows
Tutorial - Using Ratproxy for Web Site Vulnerability Analysis
Web Site that is not that easy to hack - Part 1 HOWTO - the bare necessities
Checking web site security - the quick approach

Database Admin Hacking his Ex Firm - Is It All His Fault?

Data Breaches has just published information about a Former GEXA employee pleads guilty to computer intrusion

According to the article, here is what happened

Kim remotely accessed the GEXA Energy computer network and the GEXA Energy Management System (GEMS) database. While connected to the GEXA Energy computer network, Kim recklessly caused damage by, among other things, issuing various Oracle database commands which created a new data table in the GEMS production database which, when copied to the GEMS staging database, caused the automated script to fail thus impairing the availability of data.

As a result of the Kim’s intrusion into their protected computer system, GEXA Energy incurred a loss of at least $100,000, the costs associated with troubleshooting, securing and repairing the GEXA Energy computer network and the GEMS database. Kim was indicted in June 2009.

We quite agree that the access of the former employee is illegal, and he did probably cause a lot of sleepless nights for the admins, security officers and a lot of stress for the GEXA management.

But GEXA blames the ex-DBA for some wrong reasons. Let us break down the stated loss amount of $100,000:

  • Troubleshooting the issue - the problems were actually caused once the production system was copied into staging, so it is quite probable that the production was not impaired - at least not in any significant way. So troubleshooting was a couple of man-days, and by any salary standards could not cost more then $4,000
  • Securing the computer network and GEXA systems and network- the incident was caused by the inadequate levels of security measures on the procedural, network and database levels. So any costs incurred by GEXA to beef up and revise security would have to be spent, regardless of the incident. In my opinion, these costs should be incurred by the GEXA Information Security Officer, the Head of Internal Audit, the HR Officer and the last external auditor of the computer systems.
  • Repairing the GEXA GEMS database and computer network - this part was mostly a witch hunt for rootkits, trojans and breach of integrity - one that has to be performed after any breach. This part is really the only segment that the Ex-DBA should be accountable for.
In conclusion, GEXA did suffer a lot of grief from this incident, and we commend them on the success in identifying the attacker.

But in reality, the incident is caused by a HUGE lack in security procedures and controls, items for which people at GEXA are accountable for. So a deep look inward is also in order.

Talkback and comments are most welcome

Related posts
San Francisco WAN Lockout - Pointing Fingers at Everyone Responsible
Control Delegated Responsibility

HTTPS Data Exposure - GET vs POST

Here is a quick chart showing the data exposure when considering GET vs POST and also HTTP vs HTTPS.

  • URL arguments refer to arguments in the URL for GET or POST (e.g. foo.com?arg1=something).
  • Body arguments refer to data communicated via POST paramaters in the HTTP request body.
NOTE: This chart does not address client side caching of temporary files. Caching is a separate issue from the protocol selection and should be addressed with appropriate cache-control headers.

A quick conclusion
: The secure choice for transmission of any sensitive data is to use POST statements over SSL/TLS. Any other option will expose data at some point in the communication.

This is a guest post by Michael Coates, a senior application security consultant with extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers world-wide.

The original text is published on ...Application Security...

Talkback and comments are most welcome

Related posts
OWASP Publishes Top 10 Web App Security Risks for 2010
Creating Your Own Web Server
Web Site that is not Easy to hack - Part 2 HOWTO
Web Site that is not that easy to hack - Part 1 HOWTO
Tutorial - Secure Web Based Job Application

Designed by Posicionamiento Web