A server is essentially a computer that does not do anything else but supply and store information for other computers. You could be using one of your computers as a server in your office, for example.

This computer would then be called a server and supplies information (even software applications) and data to other computers, which basically become user terminals. If you have an e-commerce site, or you have a lot of important information that you want to keep safe and secure, you should be looking at the best dedicated servers provider in your country or region.


Normally, when you register for a website, your website would be hosted on what is called a shared server. This means your website and information are stored on a computer that is used by many other customers of that provider.
In the case of a dedicated server, you have your own whole computer and network connection.

Here is a comparison of normal shared servers and dedicated servers to illuminate the issue.

• Traffic Issues. If someone else’s website gets a lot of traffic, and your website and database are on the same server, your website will start to slow down. You cannot have this happening if your website and database are crucial to your business operations. With a dedicated server, you have the one whole computer to yourself, and there will be no influence on your traffic from outside sources.
• Size. What happens when your website grows? With a shared server, you will have to keep buying extra space. With a dedicated server, you have the whole computer, and this means it is just about impossible to run out of space.
• Security. Information on shared servers is never as secure as dedicated servers. There are multiple accounts and multiple users. Do you really want your important company information on a computer that is also being used by other people?
• Service. Dedicated servers normally come with a range of services, such as back-up, security and support. If your information is on a computer provided by a normal shared server supplier, you cannot expect the same service. Do not expect the computer support with shared servers to match the response times of that provided by your dedicated server company. Dedicated also means the company should be dedicated to you, and not just the fact you have your own server.
• Location. Just like any other server, your dedicated server will be stored in a very secure location. This is much better than having a server in your own office, for example. It would be possible to run your own e-commerce site from your own office, but you would need the technical know-how and computer support to manage your own server. Normally, that will require outsourcing it services or employing your own team.
• Cost. Dedicated servers will obviously cost a considerable amount more than a standard server. If your e-commerce site is growing, for example, having a smooth, fast and reliable website will mean more money. Investment in a dedicated server is an investment into your revenue stream.

In essence, dedicated servers are necessary for anyone who is making revenue from their site with a lot of traffic. You need to be sure that your business is managed, monitored, protected and stands alone from anyone else’s business on the internet. You can always switch your website to a managed server as it grows, although for those who are serious about e-commerce, setting it up so it is stand-alone from the beginning, is still the best option.

This is a guest post by Tom Mallet is an Australian freelance writer and journalist. He writes extensively in Australia, Canada, Europe, and the US. He’s published more than 500 articles about various topics, including dedicated servers and Computer Support


Talkback and comments are most welcome

Related posts
Creating Your Own Web Server
Tutorial: Making a Web Server
Is the Server Running - optimal use of redundancy on a budget

Virtualization is considered to be the new renaissance in computing. Suddenly, all those over sized servers are put to great use by putting multiple Guest OS's on them. But running IT services in a virtualized environment brings a whole host of new opportunities for hackers.

We will discuss the opportunities in this series of articles, with uncreative title "Hacking Virtual Machines".

Sniffing attack
By definition, a virtualization host will have several Guest OS systems running. Possibly, these systems will have a different purpose, and different levels of patching and functional configuration. The Guest OS systems should be perfectly isolated between each other and not access the same resource at the same time.

But most virtualization implementations collide on this rule at the network level. It is quite common that all Guest OS systems are accessing the LAN via one Network Adapter. And not many implementations of Virtual servers have configured virtual VLans.


All this means that if one virtual machine starts a sniffer - putting the adapter in a promiscuous mode - it is quite possible to sniff traffic from the other virtual machines, and collect all sorts of interesting information.

The sniffing attack is a second phase attack, after the first virtual machine has been compromised.

The following video presents an actual compromised VMware Guest is used for sniffing the LAN and capturing the data of a second VMware Guest on the same Host.

The sniffing target is a web server, running the Hacmebank web application. The sniffing easily captures authenticaiton process, as well as money transfer transactions



Talkback and comments are most welcome

Related posts
Checking web site security - the quick approach
Example - Bypassing WiFi MAC Address Restriction
DHCP Security - The most overlooked service on the network

Seeing that skipfish releases are changing twice a day, Shortinfosec is starting a persistent post to publish the latest versions of skipfish compiled for Windows.

Here you'll find the latest compiled versions, as well as a historical trail of the previous versions

In order to run it, just unzip the archive - it contains the cygwin run-time libraries needed for running skipfish. The compiled code is tested on Windows 7 and Windows XP Pro



Download the latest version of skipfish for windows - skipfish 1.29b

Previous versions

Download skipfish 1.26b for windows
Download skipfish 1.25b for windows
Download skipfish 1.22b for windows
Download skipfish 1.18b for windows
Download skipfish 1.13b for windows
Download skipfish 1.11b for windows


Related posts
Skipfish - New Web Security Tool from Google
Ratproxy - Google Web Security Assessment Tool

Google is continuing it's efforts into the web security area. After ratproxy, which was a passive security tool, here comes skipfish - an active security scanner.

Shortinfosec has compiled skipfish v1.11b on windows.

UPDATE: Seeing that skipfish releases are changing twice a day, I am starting a persistent post on my blog to publish the latest versions of skipfish compiled for Windows.

Here is the link to the post for future versions

http://www.shortinfosec.net/2010/03/compiling-latest-skipfish-for-windows.html

You can download compiled skipfish-1.11b for Windows here

Verification sum:

skipfish-1.1b.zip MD5: 6D97FBCB65CAF57A7D74E99C0671AEDA

In order to run it, just unzip the archive - it contains the cygwin run-time libraries needed for running skipfish.

If you wish to compile skipfish yourself, you need to install cygwin and compile it with make. Do not forget to update your path variable to include c:\cygwin\bin.

Quickstart
To run it, start a command line in the directory where skipfish is unzipped/compiled

1. create a report directory (report_outdir)
2. type skipfish -o report_outdir http://target-site
3. after the scan is finished, go to report_outdir and open index.html to view the results
4. you can always break the scan by ctrl-c
   

Skipfish creates a more advanced report then ratproxy, and it is autogenerated, so you don't need a special parser to create the HTML report from the raw results.

Talkback and comments are most welcome

Related posts
Ratproxy - Google Web Security Assessment Tool
Google's Ratproxy Web Security Tool for Windows
Tutorial - Using Ratproxy for Web Site Vulnerability Analysis

There are numerous sites and web-server side scripts which perform malicious attacks or simply unpleasant problems to their visitors.

The latest one that gained prominence, is the although not really causing much harm is the "Want 2 C Something Hot?". It is an elegant CSRF (Cross-site request forgery) which just shares itself on the facebook profile of the visitor.


The careful visitor will simply steer away from such links. The careful but curious visitor would want to see what such code does, but in a safe environment. So, here is a sample environment for a safe preliminary analysis of a malicious web site:

1. The analysis computer - a Cleanly installed VMware Windows XP SP3 guest OS. The guest OS should be configured with a bridged networking. Configure your host OS firewall to block all communication from the guest OS IP address to the host OS IP address.
2. The protective shielding - The guest OS should have a latest updated antivirus software. We recommend AVIRA, with active heuristics scanning. Also, include an anti-malware software, like Spybot - Search and Destroy.
3. The analysis tools - Now is the time to fire up your arsenal:
   
• Wireshark/Ethereal - all traffic should be captured with a network sniffer, so if the application level tools miss something, you can always revert to the packet capture. Set the sniffer to automatic saving of packet capture to disk, and start the sniffer before you start surfing!
• Latest Firefox with Firebug Add-In - all request/reply communication will be tracked through the Firebug. This is the application tool that will help you start dissecting the communication to and from the browser, and what is actually received.

The results of a the "Want 2 C something hot?" through firebug is seen on the next image. From there you can start dissecting each request and reply to fully understand the sequence of events.



Please note that the results are not magical, and that by only using this toolset you won't become an instant securuty analyst or a hacker. This is just a safe environment for analysis of web sites.


Talkback and comments are most welcome

Related posts
Google's Ratproxy Web Security Tool for Windows
Tutorial - Using Ratproxy for Web Site Vulnerability Analysis
Web Site that is not that easy to hack - Part 1 HOWTO - the bare necessities
Checking web site security - the quick approach

In the effort to minimize costs, a lot of companies create web based forms for job application. But web hosting is mostly outsourced to hosting providers, which host hundreds of sites on the same server, thus potentially exposing the personal data of applicants to hacker attack.

Here is a blueprint design for making a web based employment application with minimal risk of unnecessary exposure of the personal data of the applicants.

The process
The corporate concept of the web based job application is using the following process:

• The applicant fills in a web form, and the information is stored in a database.
• The corporate HR operator accesses the database and applies appropriate filters to applicants to generate an automatic shortlist from competencies and education filters
• Applicant data within the database can have automatic retention setting to delete old records.
  

Summary Risk Analysis
The risk analysis of the design has the following assumptions:

1. Web hosting is outsourced
2. There is no direct link from the hosted web site to the corporate network
3. The site is hosted on shared hosting with generic security provisions provided by the hosting provider for hosted all sites
4. HTTPS is available for any web page on the outsourced hosting
   

With these assumptions in place, the main risk to the applicant data is from an attacker who compromises any of the hosted sites and gains access to the applicant database - should it be kept on the hosted servers.

Solution design
To mitigate the identified risk, the design separates the location of application form from the actual database of personal information. The entire design is presented on the diagram below, with each numbered step described in detail:

1. The applicant web form is hosted on the web hosting server. The web form is accessed via HTTPS. The applicant fills in the web form
2. The web form packages the information into an XML file which is sent as an attachment of an signed and encrypted e-mail message to the corporate e-mail server
3. The signed and encrypted e-mail message is read via an automated process, signature is verified and the message is decrypted
4. The XML file is extracted and parsed by a process on the internal application server
   
5. The parsed information of the job applicant is sent to the HR database, located within the security zones of the corporate network - no access from the outside
6. The HR operator uses a web interface to access the stored information via the internal application sever
7. The internal application server accesses the applicant data stored in the HR database
   

Conclusion
The proposed design can be used as a prototype for job application portal which minimizes risks of data theft. There can be several modifications or variants of the design to target specific requirements and expectations.

Ofcourse, this design will be disputed by most ISPs since they claim that their sites are safe.

But in a corporate environment, the corporation is responsible for protecting the personal information of the registered persons. And should a security breach occur, no amount of penalties to the ISP will reduce the responsibility of the corporation.

Talkback and comments are most welcome

Related posts
8 Steps to Better Securing Your Job Application
Tutorial - Measures for minimizing Spear Phishing Attacks
8 Tips for Securing from the Security experts
Nobody's safe - Google's personal data stolen

On the previous article on proper information disposal, a visitor suggested that Darik's Boot and Nuke (DBAN) can be used for emergency evidence destruction. While it is quite correct, DBAN takes time to finish. So, what evidence can be recovered from a disk on which someone interrupted the DBAN process?

Example Scenario
We created a simulation of an interrupted information destruction. Here is the scenario:
An employee has been collecting illegal material on his corporate computer.

• The employee is accidentally notified that internal audit investigators will review his computer in several minutes
• The employee boots to a Darik's Boot and Nuke to destroy the disk contents
• The investigators intercepts and disconnect the power to the computer before DBAN finishes

Analysis
Since DBAN will overwrite information, it can be assumed that the File Allocation Tables are destroyed, as well as some of the data.

1. The investigator creates a DD image of the disk drive, as presented in the Tutorial - Computer Forensics Evidence Collection
2. The DD image is loaded into the Helix investigator computer
3. All strings are extracted from the image using the 'strings' command - this activity creates a huge file that needs to be analyzed manually
4. All possible files are extracted using the 'scalpel' file carving tool - this is an automated tool which can search for a lot of known file types and tries to extract them by matching the beginning and end of the file
5. The carved files and strings are analyzed one by one. Most of the carved files are useless, since there is fragmentation on every drive so part of the files are lost, or the carving tool cannot match the other parts of the file.

Conclusions

• While evidence recovery from a partially wiped drive is possible, it is both difficult and time consuming to achieve. At any rate, no investigator can guarantee successful results.
• Also, it must be noted that after the first pass of the DBAN write, a very large percentage of information is already destroyed, so one has to be very lucky to walk in on the person while he/she is wiping the hard drive and interrupt the process on time.

Talkback and comments are most welcome

Related posts
New Helix3 Forensic CD - Welcome
Competition - Computer Forensic Investigation
Tutorial - Computer Forensics Evidence Collection
Tutorial - Computer Forensics Process for Beginners

When doing a security assessment for a large organization, you need to collect a multitude of information for a proper assessment.
One of the essential elements in a network assessment is systems inventory. While most security personnel would use a port scanner to scan the full IP range of the organization, when analyzing a windows environment there is another tool that should be used in coordination with a port scanner.

The tool
When scanning a Windows environment, a WMI (Windows Management Instrumentation) scanner is a valuable assistant. The tool that i'm using is WMI Asset Logger. The tool is deliver by John J Thomas and is freeware.

The process
The WMI Asset Logger will just require a domain admin username and password, it will query the domain for registered computers or ask for a target computer. Then it will query each computer to give you a nice overview of current computer status on the network.

The results are presented in the GUI, an example presented below.



The benefits
Ofcourse, one can always comment - what are the benefits of using a WMI scanner?

• Verify inventory delivered by the IT personnel - with WMI AssetLogger you can create a rapid report with which you can compare the report delivered by IT and verify their formal statement.
  
• Make rapid checkup of installed OS versions and Service Pack - Quite often, your first priority is verification of installed OS consistency. With WMI you get a birds-eye view of installed OS of all windows machines
  
• Create a relevant inventory for comparison on subsequent controls - the report is easily exportable into XLS or Tab delimited file, so it's easy to load results into a database for comparison of subsequent scans (monthly or quarterly)
  
• Find primary targets for deep inspection - Based on simple rules and pairing with the results of a port scanner, you can find interesting targets for deeper analysis
  

Talkback and comments are most welcome

Related posts
TrueCrypt Full Disk Encryption Review
Creating Your Own Web Server

The time of expensive hosting and limited functionalities on web servers are long gone. Today, everyone and their mother is doing web hosting, with a huge hosting disk capacity at very acceptable prices. But even though most hosting providers differ only in the price on paper, things are much different in the real world.

You can get stuck with a poor hosting, a lot of non-functional elements of the site and even huge downtime on your site.
Here is a practical approach to selecting a good but Affordable Web Hosting provider. In order to properly evaluate them, you'll need to engage both your technical and business teams.

Make a table like the one on the following slide and start grading according to the following bullets

1. Business Support Quality - Through this category, you will evaluate how prepared the hosting provider is to meet your business expectations of hosting. When evaluating business support quality, you need to answer the following questions. Add two points for each Yes answer to your business support category grade:
   
• Does the hosting providers' sales rep answer to calls and e-mails in a timely manner?
• Does the hosting providers' sales rep try to understand what you are trying to achieve?
• Is the sales rep discussing meeting your requirements?
• Does the sales rep provide direct contact with a dedicated technical person for clarifications?
2. Technical Support Quality - Through this category, you will evaluate how prepared the hosting provider is to meet your technical requirements for hosting. When evaluating technical support quality, you need to answer the following questions. Add two points for each Yes answer to your technical support category grade:
• Does the hosting providers' technical support person answer to calls and e-mails in a timely manner?
• Does the hosting provider actually support the technical requirements of your site?
  
• Does the hosting providers' technical support person answer your team's technical questions in a clear manner?
• Does the hosting providers' technical support person ask for clarification on your requirements?
• Does the hosting providers' technical support person warn you of any specific policies and limitations in their hosting solution that might hamper you?\
• Does the hosting provider offer remote tools for web site technical side management (service stop/start, add-ons and libraries management etc..)
  
3. Hosting Solution Breadth - Through this category, you will evaluate what other services you might be able to utilize in the near future combined with web hosting. When evaluating hosting solution breadth, you need to answer the following questions. Add one point for each Yes answer to your solution breadth category grade:
• Is the hosting provider prepared to take over DNS hosting?
• Is DNS records management available to your technical staff via remote interface?
• Is there a e-mail service available?
• Can the e-mail service capture all e-mails for you if necessity arises?
• Are they offering any other services as bundle or with additional payment?
  
4. Hosting Contention Ratio - Through this category, you will evaluate how many other sites you'll have to compete with for server resources, and how many different sites can impact your own in terms of security since they are on the same server. When evaluating contention ratio, you need to answer the following questions. Add one point for each Yes answer to your contention ratio category grade.
• Is your site on a dedicated server?
• Is your site on a server with no more then 50 large customer sites?
• Is your site on a server with dedicated and isolated resources from other sites (virtual machine or chroot type of isolation)?
5. Error Recovery - Through this category, you will evaluate how will the hosting provider react to recover your web site should an error occur. When evaluating error recovery, you need to answer the following questions. Add one point for each Yes answer to your error recovery category grade
• Is backup of the site performed daily?
• Is backup of the site performed together with backup of the site's backend database
• Is hacker attack detection/prevention present?
• Will you get alerting/notice from the provider if suspect hacker activity is detected?
• If site defacement occurs, can the hosting provider recover to a working site within 15 minutes of detection or notice bu you?
  
• If site defacement occurs, is proper forensic investigation performed with results submitted to you?
  

After you've finished answering your questions, you'll have a table like the one below


Select the top 20% providers from the Total grades and add the pricing of their solution. The cheapest one will be your Affordable Web Hosting provider. You can afford to pay him, but you don't need to accept low quality.
Talkback and comments are most welcome

Related posts

Rules for good Corporate Web Presence
Creating Your Own Web Server
Tutorial: Making a Web Server
Web Site that is not that easy to hack - Part 1 HOWTO
Web Site that is not Easy to hack - Part 2 HOWTO - the web site attacks

Firefox is a great browser. But it is being widely avoided by corporations, since it is difficult to manage Firefox through a corporate-wide security policy, like IE through Active Directory.

FrontMotion has published FrontMotion Firefox Community Edition - a Firefox with the ability to lockdown settings through Active Directory using Administrative Templates. The concept is interesting, but how well does it work?

Here is a review of the FrontMotion solution for Firefox and Active Directory Integration

The Test
FrontMotion has prepared an MSI package of Firefox, with several modifications to enable group policy integration, as well as the administrative templates for Firefox.
Download the administrative templates (firefox.adm and mozilla.adm) and add them to your Group Policy Editor.


You get the following configuration parameters in the Group Policy - Administrative Templates for both under user and computer configuration can configure the following elements in the Firefox Section

• General Settings - centraly configure and enforce Home Page setting for the Firefox users/computers
  
• Enable Automatic Image Resizing - self-explanatory
  
• Disable Firefox Default Browser Check - self-explanatory
• Cache - setting cache size and path
  
• Set Default Download Location - downloads path setting
  
• Proxy Settings - centrally configure and enforce proxy setting for the Firefox users/computers
  
• Disable XPI Installs - block installing of Moziila extensions
  

A configured policy is presented on the following image.


Upon testing, we installed the Firefox Community Edition and applied the configured policy.


When we ran Firefox and tried to change the proxy, we were unable to, as can be seen on the image below.


It can be confirmed that the overall Active Directory Group policy functions well. However, the number of configurable parameters for Firefox is very small, especially compared to the flexibility provided by Microsoft for Internet Explorer

Conclusion
Integrating Firefox into Active Directory is a great progress. But the current level of the solution makes it more of a curiosity, since it will change it's functionality with every new build from FrontMotion. If Active Directory integration is merged into the main Firefox development track and properly developed, for instance for Firefox 3.2, it will be a great step for Mozilla against Microsoft.
Once corporations are confident that Active Directory support is properly adopted into the generic Firefox and is there to stay, I know a lot of administrators that will happily phase out Internet Explorer for Firefox.

Talkback and comments are most welcome

Related posts
TrueCrypt Full Disk Encryption Review

A reader in the comments on our post Example - Bypassing WiFi MAC Address Restriction made the following comment

"# Obtain a valid MAC address that is allowed on the network - And that right there is the hard bit. Perhaps an article on that before declaring how easy it is."

First, I would like to clarify several things

• Every hacker attack requires some amount of specific knowledge, time, effort and resources. If this wasn't the case, they wouldn't have been called hackers, they would be called - everyone!
  
• it is not the goal of this site to provide step-by-step tutorials on actual hacker attack methods.
• The presented MAC Address restriction protection is very easy and it requires the least amount of knowledge, time and resources compared to bypassing other protection methods and attack types

Now, here is an explanation on obtaining the difficult element - a valid MAC address

• If the WiFi network allows for unlisted MAC addresses to associate and then uses some sort of egress filtering, on the router or service selection gateway, just assoicate to the network and run wireshark for 5 minutes to collect other MAC addresses on the network. Results in 5 minutes
• If the WiFi network does not allow for unlisted MAC addresses to associate, then you can
• Download Backtrack and burn it to a LiveCD. Backtrack supports most of modern WiFi laptop cards.
• Boot your laptop from the Backtrack LiveCD. Run Kismet, which will put your wireless adapter into monitor mode. Use airodump to collect packets for analysis and find valid MAC address - Results in around 3 hours
  
• Create a small Perl program to generate a cycle of possibly valid MAC addressess and cycle them on your WiFi card using macshift. This yields best results paired with a bit of social engineering - to discover the models of laptops connecting to the network, thus reducing the address space to search - depending on skills and preparation, Results in 4 - 24 hours

Related posts
Example - Bypassing WiFi MAC Address Restriction
5 Rules to Home Wi-Fi Security

Talkback and comments are most welcome

Among security professionals, it is a well known fact that using only MAC Address restriction is useless as a protection mechanism for WiFi. But for the general publiv, this is still a popular method. This post aims to show how easy it is to actually hijack someones MAC address and bypass this restriction.

Here is the process, as used on a Windows laptop

1. Obtain a valid MAC address that is allowed on the network
2. Download macshift, created by one of Internet's renaissance men - Nate True
3. Copy macshift.exe to c:\Windows\System32\
4. Find the windows name of your wireless connection, from the Network Connections, for example "Wireless Network Connection"
5. Open a Command Prompt(start->run->cmd.exe)
6. Obtain your adapter's MAC address, by typing ipconfig /all on the command prompt. The result will include the MAC address of all interfaces.
7. Type macshift VALID_MAC_ADDRESS -i "Wireless Network Connection". Here is an example screenshot.
8. Happy surfing

NOTE: Don't forget to change your MAC to it's original value when you are done!

The process without step 1 takes a total of 5 minutes. Now, it can be argued that it is not easy to obtain a valid MAC address, here are two scenarios:

• If the WiFi network does not allow for unlisted MAC addresses to associate, then you can :
  
• Put your WiFi card in monitor mode and capture some traffic - from there it is easy to find the MAC addresses
• Write a brute force program that will cycle the MAC address of your adapter and try to associate with the LAN. You can optimize the brute force by finding a laptop that can connect to the network and record the actual model. Then you can just cycle through half of the MAC address bytes
• If the WiFi network allows for unlisted MAC addresses to associate and then uses some sort of egress filtering, on the router or service selection gateway, things are much easier - just run a sniffer for 5 minutes and collect all other MAC addresses on the network. Filter out the gateway MAC, and at a later time (usually in the dead of night) try them one by one.

This example is presented just as an eye-opener to the readers with less security experience. MAC Address filtering may be used as a deterrent, but only with WPA2 encryption and minimal possible range of the WiFi access point signal.

Related posts
5 Rules to Home Wi-Fi Security

Talkback and comments are most welcome

In the age where a huge percentage of all attacks are done through e-mail, very few of us know how to analyze where this e-mail was sent from. This analysis must go beyond the sender e-mail displayed in your e-mail client (which are easily spoofed). Here is a simple tutorial on analyzing Internet headers.

I. Where to find the e-mail headers?
A very frequent question. Let's review the common e-mail reading interfaces and where you can see the e-mail headers in them:

• MS Outlook (all versions) - Point to a suspect email in your inbox and right-click. On the context menu, select Options. A new window will appear. In that window, the e-mail headers are displayed at the bottom, in the box titled Internet headers.
• Outlook express (all versions) - Point to a suspect email in your inbox and right-click. On the context menu, select Properties. A new window will appear. In that window, click on the details tab. The e-mail headers are displayed in the box titled Internet headers for this message.
• Gmail - When you open an e-mail message, at the top there is a link titled "Show original". Click on it and a new browser window will appear, with the e-mail header at the top.
• Yahoo Mail - When you open an e-mail message, at the bottom there is a link titled "Full Headers". Click on it and the windows will re-render showing a very nice presentation of the e-mail header at the top.

II. How does e-mail headers work?

First, lets review how the SMTP (Simple Mail Transfer Protocol) works to transfer your e-mails. Let's assume that you are sending an e-mail message for mailto:webmaster@shortinfosec.net.

• When you click send, your local mail server will receive the e-mail message for further delivery.
• The mail server will then break the recipient address into user (webmaster) and domain (shortinfosec.net)
• The mail server needs to know which mail server knows how to deliver an e-mail to webmaster@shortinfosec.net . For this, it will query the DNS server asking for a Mail eXchanger (MX) record for the domain shortinfosec.net.
• The MX record is actually a DNS name of another mail server which is registered as authoritative for a specific domain - i.e. knows what to do with e-mails for that domain
• The mail server contacts the MX server the shortinfosec.net domain and delivers the e-mail message. Then the MX server will follow internal rules on how to deliver the message to webmaster@shortinfosec.net
• There are specific mail servers on the Internet called relay servers, which don't actually hold real mailboxes. They are usually hosted by ISP's and provide availability to receive e-mails for many domains, which are then internally delivered to the real mail servers residing on slow links or hidden behind corporate firewalls.
• An e-mail message may traverse multiple hops on the Internet before being delivered to the recipient.
  
• Each mail server that processes an e-mail message during it's transit will add a line to the e-mail header of the e-mail message. A legitimate mail server will NEVER rewrite or alter an e-mail header. This was originally designed for troubleshooting, but is very useful in spotting scams and fake e-mails

III. How to I analyze the e-mail headers?

Let's review a real life example: The following e-mail headers are from an e-mail that supposedly arrived from Chase Bank, and is a clear example of phishing attack (click for larger image)

NOTE: The real recipient, domain and it's servers are anonymized .

ANALYSIS:

• The message claims that it was sent from smrfs@chaseonline.chase.com. This information can be very easily forged, so NEVER trust that information.
• The useful information is in the "Received:" lines. Each of these lines represents a hop between two mail servers on the path from the sender to the recipient. These can also be forged, but there is a catch: A malicious mail server can forge the current headers, and at the end will have to send the mail to legitimate mail servers. The legitimate mail servers WILL RECORD the IP address of the sending e-mail server, and this information will ALWAYS BE TRUE.
• So, the malicious sender has no control over the Received lines of the header.
• The "Received:" lines are stacked on top of each other, so the first hop will be the lowest, and the last hop will be the first in the header. Therefore, to properly follow the path, read the lines bottom up.
• So, reading our e-mail header, this e-mail was sent from an ADSL IP address registered to an ISP in Warszawa - Poland, and then had 2 more hops in the protection systems of the delivery ISP. Visually, this was the path of the mail:

IMPORTANT - You can easily check the registered owner of any address using SamSpade.org

• Suddenly, it's obvious that this message has a slim to none chance of being sent by Chase Bank. There is absolutely no reason for them to send it via an ADSL address in Poland when they have huge corporate servers
• There are two more elements that can be useful for analysis, although they can be forged:
• X-USER_IP - the apparent IP address of the sending client computer
• User-Agent- the apparent mail client program used to send the e-mail
• In our example, the X-USER_IP points to 12.177.160.117 - an AT&T WorldNet Services address, and the User-Agent claims to be Tumbleweed Mail Gate server - both of which are highly suspicious, so we discard them
  

Conclusions

When in doubt about the authenticity of an e-mail message DON'T follow instructions within it and DON'T click on the attachments inside it. Instead:

1. Open the e-mail headers and read where it came from. Usually, it's very easy to identify a fake message just from the path it took on the internet.
2. If you can't identify the problem, just extract the headers and send them to your IT and Security Officer for analysis.

Related posts

Tutorial - Measures for minimizing Spear Phishing Attacks

Example - SMTP message spoofing

Talkback and comments are most welcome

Following up on the Tutorial - Computer Forensics Process for Beginners , here is a step-by-step tutorial on how to process a suspect computer to obtain dumps of RAM memory and Disk Drive using Helix Forensic CD.

Our suspect computer is a Windows XP Virtual Machine.

Our Example Forensic Toolkit

• Helix forensic CD - your basic tool for the investigation
• Evidence USB - 16 GB Capacity - for removing smaller evidence files from the evidence computer
• Analysis computer - a windows laptop, VDK driver, for the analysis computer (if using windows) - this driver will enable you to mount a DD image created during the evidence collection
• Sophos Antivirus and A-Squared Free Antispyware detector software for the analysis computer

I. Running state evidence collection

1. Insert the Helix CD in the suspects computer CD/DVD drive. The Helix has an autorun so should start immediately, but be careful. If you are logged on as anything other then an administrator, you won't be able to make a dump of the full physical memory. So close the autorun, and choose the Run as option to start the Helix software, and provide the Administrator credentials.


2. WARNING - DO NOT log off the session in order to log on as an Administrator! Ending a session will inevitably change and contaminate the content of RAM, since a lot of processes are closed upon logoff.




3. When Helix starts, there will be a warning screen stating that Helix won't be able to protect the suspect OS environment from changing, since it's running within the suspect OS environment. But, since there is no other way to take a snapshot of the ram memory, just choose accept.




4. You will see the startup screen of the Helix tool. The first icon is just a preview of system info, so it's not too useful. Go ahead to the second option – acquisition. It will prompt you for the source. Choose physical memory, and direct the output to the evidence USB drive.
5. Acquisition will prompt you for the source to be dumped – choose Physical Memory
   It will ask for second confirmation and will start the dump




6. After Memory Dump is finished, choose incident response (3rd icon on the Left menu) and click on the small arrow to go to the second screen (shown below). Run WinAudit



7. Click on the only link and let it perform inventory of the system. Save the result as a PDF on your evidence USB

After Winaudit finishes, close it, and close the Helix mainwindow. It will ask whether you like to record all activities in a PDF file. Confirm that you wish to and save the PDF on your evidence USB.
The above process will create an MD5 hash of the memory dump on the evidence USB. Open this file and take note of the MD5 hash.

II. Disk drive evidence collection

1. Turn off the computer ungracefully, pull the plug - this will prevent any possible shutdown scripts from running and possibly erasing data on the computer.
   
2. Boot it up again, and from the BIOS select to boot from CD-ROM. In a real corporate investigation, you may need assistance of IT to provide passwords, since most corporate PC's are set-up with BIOS password and disabled from booting from CD to prevent possible information theft.


3. Boot the Helix Linux OS


4. When booted, select Adepto from the Forensics Menu




5. Similarly to the memory dump above, select the drive you wish to make a dump of, and select your evidence USB as destination. For hash, you can choose severa. The example is with SHA1. After the dump is finished, choose the last tab (report) and choose to save the dump report as PDF to the evidence USB.


6. Copy all files to your analysis computer, and verify the hashes of the memory and disk dumps again using md5sum and sha1sum, whichever you used initially.



7. Using VDK, mount a copy of the disk image for investigation. The mount command is: vdk open path_to_dump_file\dump_filename.dd /L:free_drive_letter

HERE You can download and review the forensic log documents created in this tutorial (5.19 MB ZIP file)

Helix_Evidence_Collection_Sample_Logs.zip
Verification sums:

• SHA1SUM c7d189a78a715fd96127677d39d5ace1d5854ea5
• MD5SUM 9b61fad0cf4418175cb7e387c6962c49

This concludes the easy part of computer forensics - evidence collection. Shortinfosec will follow-up with exercises of the analysis part.

Related posts

Tutorial - Computer Forensics Process for Beginners

Talkback and comments are most welcome

After Shortinfosec compiled the Ratproxy tool for Windows, we got e-mails with complaints that the it is still unclear how to use this tool. Therefore, Shortinfosec is following up with a tutorial on using Ratproxy.
NOTE: Shortinfosec will present a demo analysis and report, but will not delve into actual compromise of the concluded vulnerabilities

A hacker that attacks a web site will analyze the entire structure of the site, and use his experience and external tools to identify the points where he will be able to compromise the site. Ratproxy is emulating this operation by functioning as a web proxy for the users browsing. This way, ratproxy is able to intercept and analyze the entire communication and content of the analyzed site.

The difference between a hacker and ratproxy is that ratproxy will identify potential vulnrabilities but will not compromise, just report them.

Ratproxy program with or without potentially disruptive tests. The difference is in the X (disruptive) or x (non-disruptive) switch. Here is a command activating ratproxy with disruptive functionality:
ratproxy -v ratproxy -w report.log -d domain.com -leXtifscg


After that, the folder in which ratproxy is run from will contain a file called report.log. To make it human-readable, you should run it through a parser, downloadable from
http://code.google.com/p/ratproxy/source/browse/trunk/ratproxy-report.sh?r=9

You should run it from a cygwin shell. Make sure that it's a UNIX formatted file (LF/CR), otherwise the shell will report errors.

The parser should be run with the following command
$ ~/ratproxy-report.sh report.log > report.html

When the ratproxy.log file is parsed, it will create a html file. Below is a screenshot of the report


The report will organize concluded information by type of possible error encountered and then by criticality of specific issue which is identified.
Shortinfosec has created a sample report from scanning a localhost Apache 2.0 server with a CMS Made Simple site. You can download the sample report here.

Obviously, there are other products which perform the same function like WebScarab, Paros, Burp, and ProxMon, so what is the benefit of ratproxy?
According to ratproxy doc,

it is designed specifically to deliver concise reports that focus on prioritized issues and to do this in a hands-off, repeatable manner. It features a sophisticated content-sniffing functionality capable of distinguishing between stylesheets and Javascript code snippets, supports SSL man-in-the-middle, on the fly Flash ActionScript decompilation, and even offers an option to confirm high-likelihood flaw candidates with very lightweight, a built-in active testing module.

Related posts
Ratproxy - Google Web Security Assessment Tool
Google's Ratproxy Web Security Tool for Windows

Talkback and comments are most welcome

In our previous post, we announced the new security tool - Google's ratproxy. It functions as a proxy, much like paros.
Shortinfosec has compiled ratproxy v1.51 on windows.

You can download compiled ratproxy-1.51.exe for Windows here

Verification sums:
ratproxy-1.51.exe SHA1SUM 42dbe6ffa00a3987f32b19a7c6e9ca84240db157
ratproxy-1.51.exe MD5SUM c41acfd5ab7874dfef3970ac52eb2a9b

In order to run it, you need to download and install cygwin runtime, since ratproxy is dependant on several cygwin libraries. Do not forget to update your path variable to include c:\cygwin\bin.

Quickstart
To run it, use the following steps

1. create a report directory (report_outdir)
2. type ratproxy -v report_outdir -w report_filename -lfscm
3. reconfigure your browser to use proxy on address localhost:8080
4. Start browsing, ratproxy will create reports.
   

Report parsing
Copy the report generator from this location, and create a file from the text. It's a bash script, so You should run it from a cygwin shell. Make sure that it's a UNIX formatted file (LF/CR), otherwise the shell will report errors.
http://code.google.com/p/ratproxy/source/browse/trunk/ratproxy-report.sh?r=9

It creates a HTML report from the raw report generated by ratproxy.

Related posts
Ratproxy - Google Web Security Assessment Tool

Talkback and comments are most welcome

In the era of Internet and communications, there are still a lot of organizations which have a poor or misconfigured web presence. This leads to unavailability, loss of contact with potential customers, and even reduced reputation due to bad or missing web presence.
This trend is especially true for public services and organizations where management is centralized and has pooor Internet awareness.
Here are a few examples of common mistakes:

• Hosting a web site on a non-default port - very common when you hire very cheap webmasters or use the improperly trained administrator to set-up the web server. Several web servers are installing themselves TCP port 90 or 8080, for security reasons until the service is ready for commercial rollout. If the web server remains on port different from the default 80, some visitors may not be able to access it. This is especially true for visitors from large corporate networks, where proxy and security systems are often configured not to allow access to sites on non-standard ports.
• Hosting a web site on an IP address - Without a domain name - a very old mistake, and one that was supposed to have vanished by now. It is difficult to communicate the IP address, it is difficult to remember an IP address, it is difficult to change and re communicate the IP address. It should NEVER be done.
• Using IT for content management - Even if IT created the engine, prepared the server and started it, they should not be tasked with content management. Because of it's primary function, IT will always put a higher priority in maintenance of the infrastructure then on content management. This will lead to incomplete or outdated content.
• Allowing for the domain name to be stolen - Bear in mind that your corporate domain name is yours only until the lease expires. It costs around 10 USD/year to renew the lease, but if you forget to renew before the lease expires, it's first come first serve principle. There are persons and even companies known as domain trolls, which target large organizations and good domain names, and wait for a mistake. If you forget to renew your lease, they can take it from you, and then they will blackmail you into buying it for a lot more then 10 USD. In the meantime, your corporate web presence is unavailable, or even replaced with content which may harm your corporate reputation.

Here are several rules for setting-up good corporate Web presence

1. Outsource the hosting of a web site to a commercial hosting corporation - avoid using internal resources for web site and server management. Unless you have a very large and experienced team, your people will need to learn web hosting and maintenance on the job, and this can lead to poor quality, failures, even security holes.
2. Confirm that your site is adhering to de-facto standards - insist on standardised TCP ports, registered domain names, and avoid any reference to an IP address.
3. Maintain your site and domain availability - lease the domain name for several years in advance, and task the one person with personal responsibility to renew the lease on time
4. Delegate content management to the business - Whatever is on the site, is business oriented, and should be maintained by the business. Each business unit should have a content manager, who should use a simple web based editor interface to manage content

Related posts
Creating Your Own Web Server
Tutorial: Making a Web Server
Web Site that is not that easy to hack - Part 1 HOWTO
Web Site that is not Easy to hack - Part 2 HOWTO - the web site attacks

Talkback and comments are most welcome

I got reactions from readers regarding my Spear Phishing post, that creating a perfect spoofed e-mail representing the manager is impossible. Although I agree with this opinion, I must stress that the attacker can create a near perfect spoofed message.

Here is how:
All he needs is an open relay mail server - a mail server that will accept and relay e-maiil messages regardless of sender and recipient parameters.
Then, he needs to telnet to port 25 of this server (SMTP port) and send the following set of commands:
helo server
mail from: sender@frauddomain.com
rcpt to: recipient@targetdomain.com
data
This is a customised fraud message

Regards
Fraudster
.

After each message, the server will reply with appropriate acceptance codes. The . on the last row is not an error, that is the message end delimiter.

Using this method, the attacker will not be able to spoof ONLY the IP address of the SMTP server that relayed the message. Although this information is contained in the message header, very few people are trained to read it, and it is quite difficult to train non-technical personnel to read the header.

Here is a video clip demonstrating the spoofing process


Related posts
Tutorial - Measures for minimizing Spear Phishing Attacks

Talkback and comments are most welcome

Spear phishing attack is a form of phishing attack which is aimed at targets with high authority and persons around them. By nature of their work, security procedures are disregarded or at least less respected in such circles, which can lead to significant security risks. Here is a quite realistic scenario for this attack.

The ShortInfosec Democorp CEO is away on business for the week. He has authorized his assistant to check his mail and handle responses as appropriate.
The ShortInfosec Personal Assistant reads an email from the chairman of the Democorp board to the CEO. The mail content is as follows:


The Personal Assistant sees that the mail is sent from the corporate e-mail address of Harry J and is formatted according to corporate standard. She knows that her boss will not read the e-mail for another 3 days.
So, she forwards the mail to marketing and sales, with the following text added:




Analysis

Within 15 minutes of receiving the original message, the directors of sales and marketing would have delegated the task to their subordinates and would have sent their documents to a Gmail address to which an unknown has access.
Here is what really happened:

1. The mail was originally fabricated by the attacker and sent from a open-relay SMTP, impersonating the President of the board
2. The names and official contact information of all relevant persons are available from the annual reports of Shortinfosec Democorp. If not, corporate e-mail format is standard and can be extrapolated by posing as a customer and exchanging several e-mails with other persons within Shortinfosec Democorp
3. The same method will be used to extrapolate the formatted signature at the end of the e-mail, as well as disclaimers or other standard corporate info contained in all e-mails.
4. An official conference agenda listed the Shortinfosec Democorp CEO as one of the speakers, so the attacker knows when he will be unavailable.
5. The WCI can be any relevant investment group, a name which can be identified from news clippings, or even invented - secretaries are not that much in the loop on large business decisions.

What should have happened

• The request to send confidential documents to a public email should have raised red flags.
• The Personal assistant should have called the President of the board to confirm the authenticity of the message.
• Also, she should have reported the mail as possible breach of procedures to the Information Security Officer and requested further instructions.
• Even if she disregarded all peculiarities of this email, the directors of sales and marketing and their subordinates should have reacted with a phonecall or alerted the Information Security Officer

In the real world, at the end of the day business comes first. So, the same material have gone to the Gmail account, but only after confirming that the president of the board requested it, and with maximum precautions

Result

An unknown person now has highly confidential corporate documents in his hands, which he can sell to the competition, publish, or extract information from them which will assist him to further his attacks.

Here are the controls that should be implemented to minimize risks of spear phishing

1. Implement e-mail digital signatures for all top management and key personnel, and set-up their laptops and PC's to automatically sign each sent message. Implement procedures that all unsigned messages received from these sources should be verified for authenticity
2. Perform regular training of all assistants and advisers to top management on Phishing and Social Engineering.
3. Perform regular but unannounced Social Engineering penetration testing on all assistants and advisers to top management, as well as all personnel handling highly confidential data
4. Educate top management with presenting results of penetration attacks to top to help them understand that breaching of instituted procedures can lead to severe security breaches - make this an exercise, not a power-point presentation
5. Advise all top management to accept and encourage the "when in doubt credibility of request, make a call" policy for their immediate subordinates, assistants and peers. Having a 1 minute phone call is much less fuss then a 100 page top secret report being leaked.
6. In case of real necessity to send such documents to public e-mail, provide fallback security procedures, for example: Send data as a Password protected PDF with a random password, wrapped in a different password protected rar file. Both passwords being communicated via another channel - sms or phone call directly to the president of the board
   

Related posts

Understanding Penetration Testing Methodology

TrueCrypt Full Disk Encryption Review

Hardware Security Module for Dummies

Personal Data Protection - Anonymizing John Doe

Talkback and comments are most welcome