Protecting Yourself From Firesheep with Strict Transport Security

Strict Transport Security is a great solution to protecting against Firesheep

Now ultimately the vulnerable website is supposed to fix this issue on their side. But, let's not wait around for them. Let's fix it on our side and protect our traffic now.

Step 1: Grab a browser that supports Strict Transport Security (Firefox 4 & Google Chrome both support STS)
Step 2: Install an addon that lets you add specific STS settings - STS-UI
Step 3: Configure STS-UI for the sites you're concerned about
Step 4: Be happy your data is more secure. However, securely transmitting data is only one piece of the security pie. But at least you're good in that department.

Configuring STS-UI
Go to tools->Manager Strict Transport Security

Enter the domain name of each site you wish to protect (e.g. force Strict Transport Security upon the site). For example enter "facebook.com" and select "Force subdomains too"


After adding facebook.com and twitter.com it should look like this

Done. Now you will always be using HTTPS for data exchanged between twitter or facebook.

Remember, this only protects you against sites that are either already using STS or sites that you have manually added. This really isn't a scalable approach since xyz.com could be vulnerable and you wouldn't know unless you inspected the traffic going back and forth.

For those that have access to company VPNs or SSH tunnels for their traffic, I'd recommend you also use those when accessing the network from a wireless hotspot. A VPN doesn't solve the problem, but it does remove access from the likely attackers (e.g. other random users of the wireless hotspot).

This is a guest post by Michael Coates, a senior application security consultant with extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers world-wide.
The original text is published on ...Application Security...


Talkback and comments are most welcome

Related posts
Stealing Twitter and Facebook Account - a Video Example
Corporate Guest WLAN - The best place for Eavesdropping to Interesting Traffic
5 Rules to Home Wi-Fi Security
Example - Bypassing WiFi MAC Address Restriction
Obtaining a valid MAC address to bypass WiFi MAC Restriction

Stealing Twitter and Facebook Account - a Video Example

WiFi security is looking grimmer then ever :)
Shortinfosec has discussed that guest or free WiFi is very open for collecting of interesting information. But you still needed to capture raw IP traffic, and sift through it in order to gain access to useful information.

From a couple of months ago, things became even easier. Eric Butler created the firesheep extension for Firefox. The extension was created as a demonstration of the security risk to users of web sites that only encrypt the login process and not the cookie created during the login process.

Firesheep filters through the captured traffic and collect unencrypted session cookies that 'fly' over the network. With firesheep, the potential attacker does not need to filter through anything - identities simply appear in the firesheep console.

Shortinfosec has performed a test capture on a free WiFi network - a mall. The capture of useful information takes a long time - we managed to capture 1 facebook and 1 twitter account in more then 4 hours. But for a dedicated attacker, whis period can be much longer.

Here is a brief video of the captured identities and opened in the same browser.





Talkback and comments are most welcome

Related posts

Corporate Guest WLAN - The best place for Eavesdropping to Interesting Traffic
5 Rules to Home Wi-Fi Security
Example - Bypassing WiFi MAC Address Restriction
Obtaining a valid MAC address to bypass WiFi MAC Restriction

Steganography - Passing through the defenses

Steganography is still considered to be a part of the obscure tools of secret agents and corporate spies.

However, steganography tools are widely available, and anyone can use them. Most of these tools

But the science of counter-steganography is also advancing. Recently we discovered a great article on defeating steganography in 24-bit images. And it is quite probable that such analysis will find their way in filter systems, like mail and web filters.

This prompted us to analyze how survivable is steganogrpahy?

This also gave us a great reason to publish another set of pictures (albeit cropped) of Lena Söderberg ;) Here is our original image


Proposed Counter-Steganography System
The filter system will need to be cost-effective, minimally intrusive and not prone to error. Since there may be many different steganography alghorithms, the filter system should not try to read such messages. Doing so will require an entire farm of filter servers. Instead, the systems will resort to a much simpler mechanism:

  1. Modify all passing images so that the original hidden data is compromised.
  2. Use only minute changes to images, so that the original user expecting to see an image cannot discern any loss of quality in the image
The Test
In our test, we will be using the Lena
Söderberg test image and we will perform tests using 3 common image enhancement filters. We will hide and open the message using the online tool at Mozaiq.Org

Our operating assumption is that a higher redundancy of the message has a higher chance of survival through a filter. Thus, our test message is the following:
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Phasellus in risus erat
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Phasellus in risus erat
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Phasellus in risus erat
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Phasellus in risus erat
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Phasellus in risus erat

Here is the image of Lena Söderberg with the message included within it


After hiding the message inside the image, we'll pass the image through different enhancement filters and then try to extract the message from the filtered image.

1. Sharpen Filter - The first filter to be tested is the Sharpen Filter. The filter is applied with Sharpness=2. After the application of the filter here is the image and the following message is extracted:


LoremJ� @�: ���Ѽsit�km t� consecf�t* ad piscin� u| tJ|�h s l����G�l�l� �h�z~� 5r�f�v��f�� ��j\)��5KT1��ķQo�s~cΓy?�� ɉ�C�$�� O�4E!L�r_x�߆��Ƥ �� b;��� \G;*W�.=� �1 楄 �M) Z*>֟ " °�N�(��%�J]u� �dRp�s���Χ �
G�?� e-e� E�͹g�� s�s�e�a�D�moF�O[t�h �ˀ2��i� _? � Լ�);c�s� &hD��DF �ͬ�8Q��1T� Cr!�us� �F�j�l߫��M-�_�Y��i�$�DIHQ�u�g����?0Xt�1c�� �ecTS� id_p�̦iG����Q�.�agaa��d��\�� ri u��

2. NF Filter - The second filter to be tested is the NF Filter. The filter is applied with default Alpha=0.30, and Radius=0.35. After the application of the filter here is the image and the following message is extracted:


Lo�eB�ٷs��7,� o_� � � ]t,(;��Rec�(ξrg d�p_sc nw g)�t� �kK�?1� o�nJ�8 �0;֦a �4�Cr� <��` RorLP �W�jd Fol�4ix " v����oo��� �� �i@^���r� l� ����=� l>SsC�nP �ą�v�)��EyC G�� p `8�2��Ʃ&��t��\�Yr�� Is�&t�tD>�%.�pͮǿ ��T �Z� Mha�e&l�s ƾ��`s���Mc

3. Unsharp Mask - The third filter to be tested is the Unsharp Mask. The filter is applied with Radius=1, Threshold=1 and Amount=0.1. After the application of the filter here is the image and the following message is extracted:

Error: The image that you tried to decrypt does not appear to have a message in it. It is possible that you entered the incorrect password. Please try again.

Conclusion
Once an image passes through a filter, any hidden messages will be corrupted. Redundancy in the hidden message helps but only against some types of image manipulation and only at very low levels of the filter.
So, any digital picture retouch filter will damage the hidden message within a steganography image.
Naturally, this conclusion is nothing new - but through this test we can conclude that a small and very visually non-disruptive filter can cause a lot of damage to a steganography image. But it will probably take a serious information theft incident through steganography in order for the vendors to start implementing steganography filters in their content filtering and gateway solutions.


Talkback and comments are most welcome

Related posts
Hiding Information in Plain Sight - Steganography

Hacking Virtual Machines Part 4 - Knowing That the Target is a Virtual Machine

Virtualization is considered to be the new renaissance in computing. Suddenly, all those over sized servers are put to great use by putting multiple Guest OS's on them. But running IT services in a virtualized environment brings a whole host of new opportunities for hackers.

In this article, we'll review the ways an attacker will know that the target is a Virtual Machine

When attacking a virtual machine it is very useful to know that your target is a virtual machine. This is important for the following reasons:

  • Isolation - once you gain access to a virtual machine, there are a number of isolation vulnerabilities that can be attempted
  • Sphere of trust - all virtual machines on the same Host are part of the same sphere of trust
  • Impersonation - in most implementations, virtual machines on the same host communicate with the rest of the network via the same physical NIC. Therefore it is extremely simple to modify the MAC address of the compromised host and attempt to impersonate another host on the network. The network defenses will have a difficult time locating who is the impersonator, since there are multiple virtual machines on the same host
  • Nobody looks at a screen of a VM - Virtual Machines do not have a console screen. So tools that throw feedback on the console (like VNC) do not appear anywhere.

Identifying that you are attacking a virtual machine can happen in two phases:
  1. Before you penetrate the target - identification of a VM can happen if the attacker is on the same LAN, and can therefore investigate the characteristics of the target. You can easily locate a Virtual Machine through the MAC address. You can check a MAC address for it's decriptive name here. Here is the list of MAC addresses that get assigned to Microsoft and VMware Virtual Machines
    • 00-15-05-xx-xx-xx Microsoft Corporation MAC Address
    • 00-0C-29-xx-xx-xx VMware, Inc.
    • 00-50-56-xx-xx-xx VMware, Inc.
    • This approach can fail if the VM Engine has a method of changing it's MAC address to 'seem' like a real host. Most often Realtek MAC addresses are used for this change , but this leads to an inconclusive check.
  2. After you penetrate the target - This is a bit like a 'Catch 22': Once you penetrate the target, you have a lot more options, but all these require that you penetrate the target :). And these are your options:
    • MAC Address - just as the previous approach, you can look at the MAC address. And ofcourse, you can hit the same obstacle - the replaced driver with one that is brought by the VM engine which is inconclusive
    • Attack toolkit checkup - Metasploit, Core Impact and most other serious attack toolkits have a module that checks whether the compromised target is a VM. But these can fail miserably, as is presented on the screenshots below. This is why you need a second opinion.
    • Internal windows tools - there are a whole host of tools that windows brings with itself that can be used to make sure whether you are on a virtual machine. Here are two
    • driverquery - a simple command-line tool that queries all loaded drivers. If a VM Engine driver set is installed, you'll find a lot of reported information as on the screenshot below
    • wmic - WMI command-line tool that can be used to query every possible aspect of a machine. The simplest query is wmic baseboard list which returns excellent information. In a Microsoft Virtualization, you'll see the following string: "Microsoft Corporation Base Board TRUE Virtual Machine" . In a VMware virtualization you'll see the following string: "Intel Corporation Base Board TRUE 440BX Desktop Reference Platform".

Talkback and comments are most welcome

Related posts
Hacking Virtual Machines Part 1 - Sniffing
Hacking Virtual Machines Part 2 - Environments Where Virtualization Lives
Hacking Virtual Machines Part 3 - Crashing unpatched Hyper-V hosts

Hacking Virtual Machines Part 3 - Crashing unpatched Hyper-V hosts

Virtualization is considered to be the new renaissance in computing. Suddenly, all those over sized servers are put to great use by putting multiple Guest OS's on them. But running IT services in a virtualized environment brings a whole host of new opportunities for hackers.

In this article, we'll review the issue of Denial Of Service to a Virtualization enviroment:

One of the most important element of a Virtualization environment is the isolation. Since the host OS and the Guest OS machines run on the same hardware, and none should access each others resources - including memory, CPU time, video memory etc.


A lot of Virtualization implementations fail in proper isolation, and that can allow an attacker to mount different types of successful attacks.

The simplest one is a Denial of Service Attack. The compromised guest generates communication to memory address space attempting to breach the isolation walls and cause corruption of other Guest OS or the Host OS. It is very usual that early versions of a Virtualization platforms have vulnerabilities in the isolation mechanisms.

The following is an example of breach of the isolation wall on an unpatched Windows 2008 Hyper-V.

Please note that this attack only works on a default installation of Windows 2008, with no patches applied.
So all your Virtualizaiton platforms should be fully patched






Talkback and comments are most welcome

Related posts
Hacking Virtual Machines Part 1 - Sniffing
Hacking Virtual Machines Part 2 - Environments Where Virtualization Lives

Brief reminder - The value of a stolen corporate laptop

Laptops have become a commodity. Buying a corporate laptop costs nearly the same as buying a desktop PC.
And corporations love laptops for one simple reason. Laptops are mobile. When you issue laptop to an employee, you encourage him/her to take the work at home. Productivity increases, at no extra cost

But there is a flip side: this same trait of mobility also puts the laptop at risk of theft. Although the mantra of protecting your laptop is long going, there are a lot of companies who do not take this issue seriously. The mindset of managers still needs to be adjusted to present the issue.
Because managers speak the language of money, let's make a simple calculation that shows the impact of how much is your laptop worth:

Total Impact Value = Cv*[(Pl^2/Lv)/ProtL^2]

  • Cv = Company value - Place the value of a company (usually declared in annual reports)
  • Lv = Laptop purchase value (with costs of protection - licenses, encryption, GPS)
  • Pl = Position level of laptop user:
    • 10 - CEO/CFO/CSO
    • 7 - Division Manager
    • 5 - Department Head
    • 2 - Senior Employee
    • 1 - Junior Employee
  • ProtL = Protection Level of Laptop
    • 10 - hardware supported full HDD encryption, biometric, GPS location
    • 7 - hardware supported full HDD encryption, biometrics
    • 5 - Full HDD encryption
    • 1 - password protected Account
This simple calculator can present the financial impact of non-protected laptop. For example, in a company worth 10,000,000 USD, if the CEO's laptop with no encryption is lost, it can cost the company more than 500,000 USD.

Securing a laptop is very well known issue connected to laptops. So when you buy new PC Laptops you may want to invest in a higher value of laptops, in order to provide better protection.

Interesting PC laptops for companies should be devices with security features like
  • Full HDD encryption
  • fingerprint reader, even retina scanner,
  • Trusted Platform Module (TPM) chip (hardware supported encryption).
  • Even GPS tracking can be added to protection, but this is only for the most serious systems

Talkback and comments are most welcome

Related posts

TrueCrypt Full Disk Encryption Review
5 rules to Protecting Information on your Laptop
Windows 7 Full Disk Encryption with Truecrypt

Internal penetration testing – Why your business needs it

Internal penetration testing is a comprehensive security test of all systems related directly and indirectly to your business. This is a particularly thorough form of testing, and often goes outside the ambit of what might usually be expected in web application security testing.


Internal penetration testing, explained


This type of testing effectively imitates the methods used by hackers when attempting to penetrate your security system. There are multiple levels of penetration testing, and security consultants need to adapt the tests to match on-site technology.

Internal penetration testing relates to security vulnerabilities within a system. As distinct from external penetration testing, which probes vulnerabilities in relation to accessibility of sensitive systems from the outside, internal penetration testing deals with vulnerabilities between internal systems.



This is no academic process. A weak point in the system can be used to access multiple parts of that system. Full system security is supposed to have internal, as well as external security safeguards. A person accessing your system through an employee interface or similar routine method may be able to access areas which should be off-limits. Because most systems are typically accessed by a large range of people, it is important to ensure that internal security is watertight.

It is absolutely necessary that your internal security is as good as you can make it, because this is a critical security level with direct access to sensitive information.


Internal penetration testing methods

Security testing includes a range of possible forms of internal access to information. It may for example be possible to access information directly from the business database including personal information, account numbers etc. , or indirectly using a "backdoor" approach through another system or application.

One of the primary problems with internal security is that most companies use off-the-shelf systems and software, many of which have known vulnerabilities. These systems are quite easy for hackers to subvert, particularly if the software hasn't been upgraded or their security updated. Many types of software upgrades are also required patches which may or may not be installed, and the un-patched software can also involve significant security vulnerability.

Security consultants must test each aspect of internal security, and do it very thoroughly. Security checks may include such basics as firewalls, passwords and other seemingly simple issues but you should know that vulnerabilities in these areas can be fatal and seriously compromise system security all by themselves.


Ongoing penetration testing issues

While internal penetration testing and other forms of penetration testing do provide comprehensive checks technology changes rapidly, and so do methods of breaking into security systems. Best practice is to conduct penetration testing once every six months which ensures that security consultants can apply current methodologies to their testing.

Perhaps most importantly, engaging a security consultant for penetration testing is also very useful in getting immediate support and advice when you need it. Even the best IT people only have a limited amount of knowledge in this area, and it's always advisable to get expert assistance in these fields.

This is a guest post by Erik Weisz. Erik is an Australian freelance writer and journalist. He writes extensively in Australia , Canada, Europe, and the US. He’s published more than 500 articles about various topics, including Web Application Security and Penetration Testing


Talkback and comments are most welcome

Related posts
Understanding Penetration Testing Methodology
Minimize Impact of Online Intelligence Searches
Digging for information with Open Source Intelligence
5 Ways to fail a Social Engineering Pen-Test
5 biggest mistakes of information security

Microsoft Patch Disclosure - November 2010

Microsoft has released 3 patches which repair a total of 11 vulnerabilities.

  • 2 patches address Remote Code Execution vulnerabilities
  • 1 patch addresses Elevation of Privilege vulnerabilities.

Critical
MS10-087 - Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930)
MS10-088 - Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2293386)

Important

MS10-089 - Vulnerabilities in Forefront Unified Access Gateway (UAG) Could Allow Elevation of Privilege (2316074)

Preventing XSS with Content Security Policy

An individual XSS can be easily remediated with contextual output encoding per the OWASP XSS Prevention Cheat Sheet. Although an individual XSS can easily be addressed, the overall cat and mouse game of effectively ridding an application of XSS can be very difficult. To combat this problem a new security feature, Content Security Policy, has been introduced into the Mozilla Firefox browser.

Content Security Policy (CSP) is an opt-in white list approach for defining what external scripts sources are allowed to execute JavaScript or other content loading code (e.g. iframes) within the page. By eliminating inline scripts and defining a white list of allowed external scripts it is possible to strictly control what JavaScript is executed within the page. In the event that a user injected script into the page via an improperly encoded piece of user controlled data, then Content Security Policy would identify that the JavaScript is not part of the white-listed data and the browser will disregard this unauthorized script.

Here's a basic overview of the CSP process:

  1. Externalize all JavaScript within the pages (e.g no inline script
    tag, no inline JavaScript for onclick or other handling events )
  2. Define the policy for your site and whitelist the allowed domains where the externalized JavaScript is located.
  3. Add the X-Content-Security-Policy response header to instruct the browser that CSP is in use.

Violation Reporting
The violation reporting component is another huge benefit of using CSP that can be enabled by providing a value for the policy-uri field within the site's specific Content Security Policy. In the event content (JavaScript, injected iframe, etc) is not allowed to execute due to CSP, the user's browser will issue a violation report back to the URL specified by the site's CSP. This means that a website owner can receive real time notifications of CSP violations that could be potential XSS attacks.

CSP Enabled Browsers
Content Security Policy is currently supported in Firefox 4. Although CSP is currently supported in only one browser, there are still many reasons to provide CSP support within a website. CSP will provide an added layer of protection to all web site users with a CSP enabled browser. In addition, CSP enabled browsers will also provide violation reporting feedback back to the web site owners in the event an XSS attack is somehow injected into the page. Finally, if CSP is well received then the intent is to formalize this into a standard and push for adoption within other browsers.


More Information


This is a guest post by Michael Coates, a senior application security consultant with extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers world-wide.
The original text is published on ...Application Security...


Talkback and comments are most welcome

Critical Zero Day Exploit in Adobe Acrobat and Flash

Adobe has released a Critical Advisory on Flash Player and Adobe Acrobat. Here is an extract from the Adobe Advisory:

A critical vulnerability exists in Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems; Adobe Flash Player 10.1.95.2 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX operating systems, and Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh operating systems.

This vulnerability (CVE-2010-3654) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Reader and Acrobat 9.x. Adobe is not currently aware of attacks targeting Adobe Flash Player.
The really scary thing is that this vulnerability is already exploited in the wild. Adobe plans to release updates for the affected systems in the next week

There is a workaround that can be used in the meantime, but it requires a lot of footwork in a large organization.

Adobe Reader and Acrobat 9.x - Windows
Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains Flash (SWF) content.

The authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat.

Adobe Reader 9.x - Macintosh
1) Go to the Applications->Adobe Reader 9 folder.
2) Right Click on Adobe Reader.
3) Select Show Package Contents.
4) Go to the Contents->Frameworks folder.
5) Delete or move the AuthPlayLib.bundle file.

Acrobat Pro 9.x - Macintosh
1) Go to the Applications->Adobe Acrobat 9 Pro folder.
2) Right Click on Adobe Acrobat Pro.
3) Select Show Package Contents.
4) Go to the Contents->Frameworks folder.
5) Delete or move the AuthPlayLib.bundle file.

Adobe Reader 9.x - UNIX
1) Go to installation location of Reader (typically a folder named Adobe).
2) Within it browse to Reader9/Reader/intellinux/lib/ (for Linux) or Reader9/Reader/intelsolaris/lib/ (for Solaris).
3) Remove the library named "libauthplay.so.0.0.0."


Talkback and comments are most welcome

Top 5 Ridiculous Hacking Scenes in Movies

Like any technology-fed phenomenon with increasing public exposure, hacking is often ill-conceived and exaggerated in movie scenes.

The following are five of the most implausible and amusing scenes that have resulted from this approach to hacker depiction in movies.


Mission: Impossible

Ving Rhames plays expert computer hacker Luther Stickell in the Mission: Impossible movies. One of the most ridiculous scenes in this series comes in the first film, where Ethan Hunt (Tom Cruise) hangs upside down from the ceiling and hacks into the CIA’s system by executing Luther’s directions (given to him via earpiece).
It’s also just a little too simple when Luther hacks into the CIA Headquarters’ computer-controlled electrical system to trigger the fire alarm on a specific floor. As it turns out, all you have to do is type “ACTIVATE ALARM” and you can manipulate the CIA’s emergency alert system according to your every whim. Oh, and you can do all of this while sitting in a fire truck outside the building.


WarGames


What we can learn from this movie is that all backdoor passwords can be easily guessed if there’s an immediate family member who’s tragically died. Stephen Falken, an artificial intelligence researcher, has created a backdoor with password “Joshua” (the name of Falken’s dead son), which is hacked by a high school student and used to infiltrate the system of War Operation Plan Response (WOPR). And the rest is history - you never know whether you’re playing a game or destroying a country.


Jurassic Park


Lex is just proof that any middle school girl should know Unix. And that it’s not operated by command line, but by graphics. Sure. We can make these well-informed assumptions by watching the Jurassic Park scene in which a velociraptor tries to get into the building and eat everyone, but Lex decides that she can “hack” the security system and lock the doors. This is irrelevant, since velociraptors can break glass, but let’s just go with it.
Lex takes one look at a graphical interface and announces, “Hey, it’s a Unix system! I know this!” She runs a program called “3D File System Navigator” and saves the day, at least for the next few seconds.


Independence Day

Obviously, there’s more dubious material in this movie than the hacking scene. But it’s still pretty laughable. Even if you accept the premise that aliens have power source technology that’s been impossible for humans to replicate, the hacker is way beyond executing a plausible command.
David Levinson (Jeff Goldblum) uses his trusty Mac to write a virus that infects and destroys the entire alien defense system. Unless the aliens used Unix, the remotest possibility that a human-written virus could affect their superior system is completely without substance. It appears that we’ve seriously underestimated the power of an Apple a day.


Swordfish

The hacker in this movie is played by Hugh Jackman and is an insult to any self-respecting programmer who doesn’t wear a dirty T-shirt every day. Both hacking scenes make the process seem far too easy and use bogus terms like “worms” and “hydras” that are essentially nonsensical.
Successful hacks are done by “visualizing code” and continuing to type despite warnings of “Access Denied.” The hacker does his thing while drinking wine, dancing obnoxiously in his chair, and having a gun pressed against his head. It doesn’t get much more ridiculous than that.


This is a guest post by Alexis Bonari. She is a freelance writer and blog junkie. She is a passionate blogger on the topic of education and free college scholarships. In her spare time, she enjoys square-foot gardening, swimming, and avoiding her laptop.


Talkback and comments are most welcome

Related posts
3 Things no book about hacking will ever tell you

Hacking Virtual Machines Part 2 - Environments Where Virtualization Lives

Virtualization is considered to be the new renaissance in computing. Suddenly, all those over sized servers are put to great use by putting multiple Guest OS's on them. But running IT services in a virtualized environment brings a whole host of new opportunities for hackers.

In this article, we'll review the environment in which Virtualization lives, and which targets will yield most benefits for an attacker:

The environment

  1. Virtualization for production use is not a home tool - Virtualization is usually used by organizations of 500 employees or more. Smaller organizations also use it to create multiple environments on single hardware platforms. But smaller organizations are prone to make the classic mistake of mixing development and production platforms on same hardware.
  2. Virtualization platforms can be under scrutiny of several security sensors - Corporations, as common users of virtualization also use a whole bunch of security devices. It is very common that the attack on virtual servers will be or at least logged by Intrusion Detection Systems, pattern matching logic on firewalls and log analysis systems.
  3. It is rarely possible to initially plan for an attack on virtualization - In the information gathering and reconnaissance phase it is quite difficult to detect that some systems are virtualization platforms or virtual machines. You can confirm that there is virtualization only after you penetrate the perimeter and are able to scan for MAC addresses or specific signatures on the virtual hosts.

Targets of choice

The best virtualization attack targets, in order of preference are:
  1. Training platforms - These platforms are created by the 'Let's see if I can do this' philosophy. They are notoriously unpatched, since nobody bothers to patch them - they are expendable. These platforms have a tendency of urgently becoming production platforms in times of need - resources are needed and these are available. But then, they remain unpatched for quite some time.
  2. Test and development platforms - These platforms have a much better security posture then training platforms. But still, they are usually lagging behind production on patch levels. Also, test and development platforms are very good targets because they are full of production grade or near-production grade of data.
  3. Mixed test and production platforms - Both production and test versions of applications with lower processing requirements can be placed on the same VM Host. But unless they are isolated to different VLANS or on separate physical network adapters, the test platform can be exploited and used to attack the production.
  4. Proof of concept platforms - These platforms are usually outward facing platforms, like web servers that contain demo code or proof of concept code used for customer evaluations or marketing purposes. These platforms are usually compromised by a flaw in the web applications, and in a well maintained environment should be in an untrusted DMZ.
Attack guidelines

With this description of the environment, an attacker can prepare him/herself for attack on virtualization:
  1. Virtual machines are targets of opportunity - Virtual machines are not advertised. They can be detected only after the initial penetration. In such a case, the attack should be re-planned to possibly compromise the virtualization platforms.
  2. Virtual machines will hold a lot of valuable data - In a corporate environment, any host may be source of a wealth of information. Once inside, a good attacker will seize the opportunity to attack a virtual machine.
  3. Do not make too much noise - assume that sensors are all over the place and that someone is reading through the logs. This rule also applies to attacking physical machines
  4. Choose test/training platforms - these are usually on LAN segments where there are much less sensors
Conclusion
This enviroment description should be a guideline for security personnel to properly secure their virtualization environment:

  • Patch everything - this is a well known rule, but one that is still often forgotten. When patching, incude test and experimental platforms.
  • Do not expose test applications executing on a Virtual Machine to open internet - Simply, never risk the possibility of someone exploiting a web app vulnerability to gain access to your Virtualization infrastructure. If you must expose such a test platform the open internet, treat the entire VM Host and all guests as hostiles/honeypots and isolate the rest of the network from them.
  • Do not mix production and test on the same VM Host unless you have isolated them at every level - especially network level.
  • Isolate the VM test environments in network isolation layers. - Even if someone gains access to the network, he/she should have very difficult time exploiting a VM host, simply by not being able to reach it. Test environments should be self-sufficient - all test servers, test clients and supporting systems should be in the isolated block. Minimal services should be exposed to the rest of the organization, so that remote scanning shows nothing to the attacker.

Talkback and comments are most welcome

Related posts
Hacking Virtual Machines Part 1 - Sniffing
DHCP Security - The most overlooked service on the network

Hacking Virtual Machines Part 1 - Sniffing

Virtualization is considered to be the new renaissance in computing. Suddenly, all those over sized servers are put to great use by putting multiple Guest OS's on them. But running IT services in a virtualized environment brings a whole host of new opportunities for hackers.

We will discuss the opportunities in this series of articles, with uncreative title "Hacking Virtual Machines".

Sniffing attack
By definition, a virtualization host will have several Guest OS systems running. Possibly, these systems will have a different purpose, and different levels of patching and functional configuration. The Guest OS systems should be perfectly isolated between each other and not access the same resource at the same time.

But most virtualization implementations collide on this rule at the network level. It is quite common that all Guest OS systems are accessing the LAN via one Network Adapter. And not many implementations of Virtual servers have configured virtual VLans.


All this means that if one virtual machine starts a sniffer - putting the adapter in a promiscuous mode - it is quite possible to sniff traffic from the other virtual machines, and collect all sorts of interesting information.

The sniffing attack is a second phase attack, after the first virtual machine has been compromised.

The following video presents an actual compromised VMware Guest is used for sniffing the LAN and capturing the data of a second VMware Guest on the same Host.

The sniffing target is a web server, running the Hacmebank web application. The sniffing easily captures authenticaiton process, as well as money transfer transactions



Talkback and comments are most welcome

Related posts
Checking web site security - the quick approach
Example - Bypassing WiFi MAC Address Restriction
DHCP Security - The most overlooked service on the network

Contingency Planning Conference 2010

For anyone near New York City, you can check out the Planning & Management Conference (CPM 2010 East) on November 3-4.

According to the promoters, it is a 4-track advanced-level program taught by expert faculty in small, classroom settings. Plus, you can earn up to 35 Continuing Education Activity Points (CEAPs) just for attending.

You can register for the conference rate with a $100 discount off the full conference rate. Visit http://bit.ly/CPM2010MIS and register with the promotion code NX1C79.

Shortinfosec is distributing this information without any commercial interest. Sadly, we won't be able to visit. But anyone who visits is welcome to publish a guest post on Shortinfosec about the conference.

Hacking, Security, and Privacy Concerns on Facebook

It’s not hacking if users’ privacy settings are searchable, right? It depends on who you ask. Current Facebook privacy settings come with a recommendation that urges users to leave their pages searchable to everyone.

The logic behind this is as follows: “If you’re visible to fewer people, it may prevent you from connecting with your real world friends.
But staying searchable has led to the harvesting and publication of information that includes names and profile URLs for over 100 million Facebook users.

Skull Security and Information Distribution

Ron Bowes of Skull Security did some simple reconnaissance on Facebook for some hard data to use in his research on how people choose passwords. Ron is working to figure out how many usernames are based on people’s given names (jsmith is a popular choice). By proving that usernames and passwords can be easily extracted from basic information, Ron hopes to teach people how to make their accounts more secure.

In the Facebook incident, he collected only names (which could be actual names or usernames) and URLs of all searchable profiles (about 1/5 of Facebook users), then posted the information as a 3GB file that could be downloaded by anyone with Internet access.

Facebook spokesman Andrew Noyes has said that this information could be collected from any phone book, but the URLs collected couldn’t be extracted from the White Pages. Finding these URLs could be a frustrating trial-and-error process based only on names from a phone book, but thanks to Ron, they’re now accessible to anyone who’d like a neatly packaged list of searchable Facebook users.


The Problem with Being Searchable

Contrary to Facebook’s recommendations, users might consider changing their privacy settings to “unsearchable.” Here’s the minimum amount of information that can be gathered from a profile: name, profile picture, gender, and networks.

Facebook reserves the right to keep this information visible on every account, and accessibility can only be limited through the “searchable/unsearchable” setting. So with a URL provided by Skull Security, anyone can now view this information unless these accounts’ users make them unsearchable.

The problem with this is that advertisers are extremely interested in what seems like basic information because they can make surprising inferences based on the simplest data.
The best-case scenario, then, is more targeted advertising. The degree of potential damage depends on searchable accounts’ other privacy settings.

For example, if you can be searched and you’ve made your list of friends accessible to anyone, your friends’ information is now accessible even if they’ve made their accounts unsearchable.


Deciding on Your Privacy Settings

If you’re on Facebook, go to “Account” and “Privacy Settings” to edit your preferences. If you click on “View settings” under “Basic Directory Information,” you can preview your profile to see how it looks to someone who isn’t on your friends list. You might be surprised at the amount of information that’s accessible.

Change your “Basic Directory Information” to control how searchable you are, who can send you friend requests and messages, and who can see your friend list, education, work, current city, hometown, interests, and other pages (choices are Everyone, Friends and Networks, Friends of Friends, or Friends Only).

Under “Sharing on Facebook,” you can customize the rest of your settings, which are organized under the topics “Things I share,” “Things others share,” and “Contact information.”

Even if you’re not concerned about your own information, it’s courteous to protect friends and family by selecting “Friends Only” for accessibility to your friends list, family, relationships, and everything under “Things others share.” At the very least, accept Facebook’s loose minimum recommendation for privacy settings. You can select “Recommended” under “Sharing on Facebook” to do this.


This is a guest post by Alexis Bonari. She is a freelance writer and blog junkie. She is a passionate blogger on the topic of education and free college scholarships. In her spare time, she enjoys square-foot gardening, swimming, and avoiding her laptop.

Talkback and comments are most welcome

Related posts
Keeping unneeded sensitive data off your computer
Personal data - Publish only what you can afford to get leaked
Privacy Ignorance - Was Eric Schmidt thinking?

Attacking an unpatched Windows 2008 Server

Microsoft cannot stress enough the importance of keeping your systems patched. And yet, server systems tend to drift from best practice, for several reasons

  • The patch may fail the application that the server is running
  • The patch will require reboot, which may cause unwanted downtime
  • It's simply a hassle
But non-patched systems are a great target for an attacker. Even if the attacker doesn't gain permanent access to the network, he/she can cause nasty Denial of Service (DoS) on an unpatched server.
Here is the attack scenario
We will use a Windows 2008 target for this demonstration. The Win2008 is a good example because even if it was released in 2008, and we now have the R2 version, a lot of companies are just starting to implement it.

The attack is based on two well known vulnerabilities of Win2008 based on SRV2.SYS driver. In Metasploit, these exploits are know as:

  • ms_09_050_smb2_negotiate_pidhigh
  • ms_09_050_smb2_session_logoff
Both are Denial of Service type of attacks, so we'll use them without a payload.

To use these exploits, just fire up the msfconsole and type

msf > use exploit auxiliary/dos/windows/smb/ms_09_050_smb2_negotiate_pidhigh
msf auxiliary(ms_09_050_smb2_negotiate_pidhigh) > set rhost (Target IP address)
msf auxiliary(ms_09_050_smb2_negotiate_pidhigh) > exploit


You can do the same with the second exploit.

Here is the end result from a Metasploit command line point of view.


And here is the end result from a Windows 2008 Console point of view


Conclusion
Although this is just a demo type of exploit, it provides an excellent example of what happens to an unpatched server. Imagine that this was the web server running your Web Site. Now go and patch your systems :)

Talkback and comments are most welcome

Microsoft Patch Disclosure - October 2010

October 2010 brings a HUGE update set. Microsoft released 16 patches which repair a total of 51 vulnerabilities:

  • 10 patches address Remote Code Execution vulnerabilities,
  • 3 patches address Elevation of Privilege vulnerabilities
  • 1 patch addresses an Information Disclosure vulnerability
  • 1 patch addresses a Denial of Service condition
  • 1 patch addresses a information Tampering scenario

Critical
MS10-071 - Cumulative Security Update for Internet Explorer (2360131)
MS10-075 - Vulnerability in Media Player Network Sharing Service Could Allow Remote Code Execution (2281679)
MS10-076 - Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (982132)
MS10-077 - Vulnerability in .NET Framework Could Allow Remote Code Execution (2160841)

Important

MS10-072 - Vulnerabilities in SafeHTML Could Allow Information Disclosure (2412048)
MS10-073 - Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957)
MS10-078 - Vulnerabilities in the OpenType Font (OTF) Format Driver Could Allow Elevation of Privilege (2279986)
MS10-079 - Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2293194)
MS10-080 - Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2293211)
MS10-081 - Vulnerability in Windows Common Control Library Could Allow Remote Code Execution (2296011)
MS10-082 - Vulnerability in Windows Media Player Could Allow Remote Code Execution (2378111)
MS10-083 - Vulnerability in COM Validation in Windows Shell and WordPad Could Allow Remote Code Execution (2405882)
MS10-084 - Vulnerability in Windows Local Procedure Call Could Cause Elevation of Privilege (2360937)
MS10-085 - Vulnerability in SChannel Could Allow Denial of Service (2207566)

Moderate

MS10-074 - Vulnerability in Microsoft Foundation Classes Could Allow Remote Code Execution (2387149)
MS10-086 - Vulnerability in Windows Shared Cluster Disks Could Allow Tampering (2294255)

Keeping unneeded sensitive data off your computer

During everyday work our computers collect all kinds of information: E-mail is received, browser history is recorded, files are created. In all this exchange, a significant amount of sensitive data can be collected, even without intervention of the user (CC in e-mails).

Most of this data is not of much daily use to a user, and is in fact a liability. It is a very good practice to check what information has the computer gathered over the course of the daily work, and clean out the unnecessary sensitive data.


The definition

First, let's define sensitive data. University of California defines sensitive data as

Information for which access or disclosure may be assigned some degree of sensitivity, and therefore, for which some degree of protection or access restriction may be warranted. Unauthorized access to or disclosure of information in this category could result in a serious adverse effect, cause financial loss, cause damage to the reputation, constitute an unwarranted invasion of privacy


The test

Everyone's first reaction is: 'This can't happen to me!'. It is well known that a lot of computers get sold with huge amounts of sensitive data still on them. So we performed a simple test: We ran the tools on the laptop of a university assistant professor. These are the results:

  • 3 of his credit card numbers were saved in the browser history
  • 7 e-mails containing lists of students social security numbers were discovered in e-mails from Student Services where the user was placed in CC, and only briefly read.
  • 4 files with home addresses of project team members and partners were discovered, from a project that has ended 2 years ago.

Anyone making the check will be very unpleasantly surprised at the amount of sensitive data on their computers

The tools

This definition makes a great point: If you don't work with it, remove it! To ensure that your computer is free of sensitive data you can use several tools to locate possible sensitive data. Bear in mind that no tool can determine conclusively what is or is not sensitive data, but automated tolls are great in sifting through gigabytes of information to locate patterns of data that resemble sensitive data.

We have compiled a list of 3 tools that can help you in discovering potential sensitive data on your computer. The tools are ordered in alphabetical order and each is presented with it's own pros and cons.

Identity Finder
  • Commercial application that can be used to find sensitive data, as well as providing other functions such as protection of identified files.
  • Pro: Apart from standard credit card numbers or SSN, it also searches for the string password: and thus can find a lot of cleartext stored passwords. It is quite efficient in it's search and offers quick solutions, like destruction of identified files with sensitive data, or protecting data. It is also capable of searching Outlook PST files. The enterprise version apparently works with web sites, but Shortinfosec was not able to test this functionality
  • Con: It is a commercial application, so you need to pay for it :)

senf
  • A simple Credit Card Number and Social Security Number search tool from the University of Texas designed to look for Social Security Numbers and Credit Cards.
  • Pro: Nearly no configuration effort, just start it and send it searching.
  • Con: Not useful for anything except SSN and Credit Card Numbers.


Spider
  • A very good open source tool for finding sensitive data.

  • Pro: Allows great flexibility of searches and is quite near the range of a commercial application. Although not as easy to use as a commercial counterpart, since it supports search for regular expressions, you can search for nearly anything. It is of searching Outlook PST files. Also, it is capable of searching web sites, which functions quite well.
  • Con: you need to know regular expressions to make the most of it, and the presentation of results is not very clear, especially in Outlook PST files

Conclusion
The sensitive data scanners are a very useful set of tools. Although they are all plagued with huge numbers of false positives, they also find the really nasty forgotten sets of data which everyone will be better off without.
So, a periodic scan for left over sensitive data is a very good practice to maintain security of your computer. This is even more true for enterprises, where this check-up should become part of the regular security awareness program and security check of corporate computers. A home user can achieve excellent results with open source tools, but for enterprises which require centralized management and reporting, a commercial solution may be an option.

Talkback and comments are most welcome

Related posts
5 rules to Protecting Information on your Laptop

5 Famous Hacker Profiles: White and Black Hats

Hackers, like the cowboy heroes in classic Westerns, come with either a white or a black hat. Some wear both, but most can be distinctly classified according to the way they use their abilities: for good or for evil. Black hats tend to wreak hacker havoc for personal gain or just to have fun with the general population by testing their skills and exploiting computer systems.

White hats, on the other hand, use their abilities to help create hacker-proof systems or occasionally bend laws to create innovative and exciting technology.
The following list of famous hackers includes both white and black hats, since the bad guys should never get all the attention.


Stephen Wozniak
Woz” is a white hat who is well-known for being the cofounder of Apple. His first hacking endeavor was to make free long-distance calls by creating “blue boxes” to bypass phone-switching mechanisms, and some of his college friends claimed that he had called the Pope, pretending to be Henry Kissinger.
Even during his college career, Woz worked with Steve Jobs (Apple’s CEO) to market his blue boxes to classmates. The hacker then dropped out and began working on a mainframe computer, which Jobs helped bring to the public. After a long and successful career, Woz has left Apple and now focuses on philanthropy, providing new technology and computer equipment to the Los Gatos School District in CA.


Kevin Mitnick

You’ll probably recognize this name as a definitive black hat hacker, but he later donned the white hat as a security consultant. Mitnick started his hacking career by manipulating the LA bus punch card system to get free rides, then (like Woz) became interested in blue boxes, finding a way around long-distance phone call payments.
His hacking behaviors escalated and he was eventually convicted for hacking into multiple systems of the Digital Equipment Corporation (DEC) to view Virtual Memory System (VMS) code, costing DEC an alleged $160,000. Mitnick also admitted to stealing software from Motorola, Novell, Fujitsu, Sun Microsystems, and other companies in addition to altering the computer systems of the University of Southern California.
After serving his sentence of five years, this hacker started Mitnick Security Consulting, LLC and is now turning a profit as a white hat.


Jonathan James

This black hat became famous for being the first juvenile hacker to be sentenced to prison, caught at age 15 and prosecuted at 16.
James hacked the Defense Threat Reduction Agency (DTRA) of the Department of Defense, NASA, BellSouth, and the Miami-Dade school system, stealing confidential information and software valued at nearly two million dollars.
The young hacker insisted that the NASA code he stole was intended to supplement his studies of C programming, but that it was “crappy” and not worth the $1.7 million price tag claimed by NASA. His actions cost the space program $41,000 in damages to its computer systems.


Adrian Lamo

Lamo is a “gray” hat-turned-white hat and currently specializes in threat analysis, journalism, and public speaking. He’s been using his hacking skills to help identify security flaws in the networks of Fortune 500 companies and isolate leak sources that threaten homeland security.
However, prior to this white hat streak, Lamo hacked into Microsoft, The New York Times, and Yahoo! News using Internet connections in public places such as coffee shops and libraries. He consistently found ways to penetrate systems, then informed companies of their vulnerability; however, because he was not hired to do this, it was seen as a threat.
His nearly-black hat career escalated when he began viewing Social Security numbers and giving himself clearance within company systems to access other confidential information. Lamo was ordered to pay $65,000 in restitution to The New York Times and underwent home confinement and probation before donning his white hat.


Kevin Poulsen

Black hat Poulsen’s hacking tended to involve telephone lines, and he used his unusual skills to manipulate radio shows and contests. By taking over all phone lines used by KIIS-FM radio in LA, he took the liberty of “winning” a new Porsche and other prizes. Following this performance, Poulsen hacked into a federal investigation database and viewed wiretap information on “secure” computers.
Other hacking offenses include reactivating old numbers from the Yellow Pages and crashing the phone lines meant to receive information about his whereabouts during an Unsolved Mysteries special. After being ordered to pay $56,000 in restitution and serve over four years in prison, Poulsen decided that a white hat might look good on him and used MySpace profiles to identify 774 sex offenders. He’s also worked hard to become senior editor of Wired News.


This is a guest post by Alexis Bonari. She is a freelance writer and blog junkie. She is a passionate blogger on the topic of education and free college scholarships. In her spare time, she enjoys square-foot gardening, swimming, and avoiding her laptop.

Talkback and comments are most welcome

Related posts
8 Tips for Securing from the Security experts
5 Ways to fail a Social Engineering Pen-Test

GFI WebMonitor - A good step ahead

The Web Content Filtering and Security products are already a maturing market. The need for monitoring and controlling user access to the Web is identified as critical for today's businesses

GFI Software is entering this market arena with a solution named GFI WebMonitor. This product is available either as a standalone proxy version that works in most network environments or as a dedicated plug-in for organizations that have deployed Microsoft ISA Server.

Installation
The installation is very easy, and the only really critical step that the admin needs to make a decesion in which mode the software will run. GFI WebMonitor can run in the following modes:

  1. Simple Proxy mode - In this mode, GFI WebMonitor operates on a server with a single NIC and functions as a proxy. In order to use it, block direct access to the Internet from the clients and set their browsers to use the GFI WebMonitor system as a proxy.
  2. Traffic forwarding mode - In this mode, GFI WebMonitor works 'inline', and acts as a router/proxy. To operate in this mode, you need to install GFI WebMonitor on a server with two NICs and routing ability (like Windows RRAS)
We will observe the operation of GFI WebMonitor in Simple Proxy mode - a mode that is easier to set-up and which will be the default choice of most companies.According to the documentation, GFI WebMonitor is designed for corporate use. In order to understand how GFI WebMonitor matches the corporate expectations, let's define a corporate environment scenario in which GFI WebMonitor will have to perform:

Corporate Scenario


Internet users
A typical corporate organization will have the following Internet users:
  1. Standard Internet Users - The generic corporate grunts, people who are not expected to use the Internet during most of their work day. Their Internet access is limited to most basic Internet access, and download of PDF, Word and PPT files of maximum 2 MB size.
  2. Power Internet users - Power Internet users, requiring access to a lot of Internet locations, and who regularly download documentation (PDF, Office) and media (audio, video, flash) from the Internet. These files can be of a larger size, up to 50 MB.
  3. Management - The top brass, which although would use the Internet very rarely, they should not feel as if they are much limited
  4. Exceptions - For research or testing purposes, exceptions of all rules must exist
Corporate policy
The typical corporate organization has a Internet access corporate policy. Here is a sample one:
  • Rules for all users
  1. No access to gaming sites, porn sites, narcotics or alcohol abuse sites, gambling sites, spamming and hate mail, racism and hate sites, job search sites, social media and instant messaging sites, web based e-mail services, virus and malware sites, hacking or exploitation sites, personal financial gain sites.
  2. No workaround bypass of this policy is permitted
  • Rules for Standard Internet Users
  1. No access to news sites, media sites, file sharing sites
  2. Download limit set to 5 MB per file
  3. Permitted files - HTML, Images, XML, PDF, PPT, DOC(X), XLS(X)
  4. No malware should be downloaded
  5. Limit bandwidth to a maximum of 10kbps per user
  • Rules for Advanced Internet users
  1. No access to file sharing sites
  2. Download limit set to 50 MB per file
  3. Permitted files - HTML, Images, XML, PDF, PPT, DOC(X), XLS(X), AVI, MP3, MP4, FLV, VSD, Archives containing these types of files
  4. No malware should be downloaded
  5. Limit bandwidth to a maximum of 150kbps per user
  • Rules for Managers
  1. Download limit to 500 MB per file
  2. Permitted files - PDF, PPT, DOC(X), XLS(X), AVI, MP3, MP4, FLV, VSD, Archives containing these types of files
  3. No malware should be downloaded
  4. Limit bandwidth to a maximum of 250kbps per user
Internet usage reports must be submitted to Information Security Officer per request and in a Monthly automatic report

GFI WebMonitor Performance against scenario

We have used all functions of WebMonitor to simulate the corporate scenario as close as possible. We have set up groups for web filtering and download access, and tested for normal functionality.

GFI WebMonitor has a simple but useful tactical dashboard for overview



Web Filtering Control

The good
  • All restricted areas can be set-up in the web filtering control, and were properly blocked with a restriction message. If default policies are not sufficient, you can include or exclude manually, or you can also suggest categorizing a site GFI's database, so it gets into policy automatically.

The issues
  • The minor administration issue that we found is that the categories are not explained, and it took us some time to discover that Instant Messaging is defined as Internet Communications. A dynamic description should appear as a category is selected - this will make the admin's life much easier.
  • The functional issue that found is that there is no bandwidth control for anyone. GFI might discuss that this is not a function of a content filter, but there are products which provide these functions.

Download Control
The good
  • The download controls can define the file types that can be downloaded
  • The integrated proxy can save the already downloaded files, thus reducing internet link load


The issues
  • There is no file size limit to apply to groups. So corporations cannot limit users to downloading only certain size of files and thus preventing of hogging the Internet link.
  • Download restrictions can be bypassed by hiding files within other files (Zipped executable, embedded as an object within a word file)
  • Selection of items in download control is a bit difficult, since you need to open each item specifically. This is mostly a cosmetic issue, but it can nag the administrator

Spyware and virus protection

The good

The antivirus protection worked as expected, and it identified the test EICAR virus simulation file


The issues
  • The antivirus protection worked on the second attempt. The first time EICAR was downloaded and wasn't detected as a virus. We checked the antivirus engines and found that they have remained in Downloading and updating status for the entire 5 days of testing. After we forced the update to finish (required a reboot of the GFI WebMonitor computer and about 1 hour of patience) , the EICAR file was detected as a virus threat. We can't identify the reason for this behavior

Phishing protection

The good
  • The phishning control is very effective. We tested against a fresh phishing site (at time of test only live for 5 hours) It was properly blocked both by GFI WebMonitor as well as Firefox Phishing protection. The site for testing was selected from PhishTrack


    Instant Messaging Control

    The good
    • We tested with Windows Live messanger, and notifications are properly delivered to the administrator.

    The issues

    • This function looks more like a nice idea then a real functionality. It only functions for Microsoft IM Protocols, and is not useful for Skype, XMPP - (Jabber), YMSG (Yahoo), Gadu-Gadu. These protocols will either pass undetected or will not work at all.

    Reporting

    The good
    • GFI WebMonitor has a brief set of reports integrated within it's engine, and it has a free ReportPack add-on especially for reporting.



    Conclusion

    GFI WebMonitor is a nice step in the right direction. The product is very easy to install, and the company that starts using it can see it's benefits by the end of the first day of use.
    It matched all the basic requirements of our sample scenario, and only failed at the most advanced expectations. We have some reserve about the antivirus, but this is probably due to error in our installation or a bug that will befixed.

    In order to evaluate whether GFI WebMonitor meets your requirements, simply note down your corporate scenario, and install the evaluatoion version. You'll be able to evaluate the match to your requirements very fast.


    Talkback and comments are most welcome

    Designed by Posicionamiento Web