I want to create a new presentation called Security for Soccer Moms. I was talking to someone at work who went to a PTA event and there was a “CISSP” there who knew a lot about security and children (uhh…) So I wanted to jot this idea down, so someone can steal it or I can just have some free hits for keywords of people looking for porn.

There are a LOT of resources on this topic and I will choose to look at the free ones. Sure there are the net-nanny products that stop you from looking at porn on the internet but they are all easy to stop when your kid gets smart, and lets face it who likes to pay for something that takes up memory on likely your home vista computer to make it run even worse.

So I present My list, I will add to it over time. I make this list in dedication to all the crazy people who have kids from high school allready… yikes.

The # 1 rule I have, untill you trust your kid -never allow a computer in a private area. (that has internet) I wouldnt reccomend it anyway keep your kids in view untill they are old and you trust them. or kick them out.

• PREVENT SOCIAL ENGINERING
• This is the most effective tool to keep your children safe from scarry assholes
• Talk to your children about NOT using real facts of life, avoid putting what your dad really works for,
• dont take a picture of your house address or link to it on google maps.
• Dont publish your birth year, use a fake year.
• Dont publish your own work history or keep it vague or mess up addresses for locations (I work at boeing in spokane)
• Dont publish your last name, or put a inital only (harder to stop kids dooin this)
• If you have rules about phones, publish only cell numbers that cant be traced by normals and watch your kids bills for strange 212 numbers.
• Dont publish details on your school where possible
• set up a email for your kids to use “on social networks” only (and monitor it)
• Dont give dates when you will leave for vacation talk about it when you get home! (or I will just come steal your crap)
• I think you get the idea – just mess things up a little change on your end causes a bad guy to keep moving to someone easy. In the end it all comes down to your parent skills, a parent that says “I dont want to look at my kids site to see what they are up to” haha then why are you reading this?? There is no privacy of a 7 year old on the internet, I dont care about your hippy views. Talk to your children why you monitor the activity and when they get older put a level of trust in them and dont monitor. If they screw up then kick some ass.
• Want to scare yourself? Google your Children’s Names see what data is out there on your home, family, child…
• Also remember LOOK at your kids social pages look at history etc to see if they use myspace etc (this also applies to you and linkedin)
• Prevent MalWare
• This is just a crappy fact of life now, its very hard to stop this with out tehncical controls.
• Use a “safe browser” in a virtual machine, it works great and there are pleanty of bootable browsers (just download ubuntu) and have the kid boot up ubuntu live and use the internet. then whatever they mess up you just reboot to fix. But they still can use flash etc etc etc.
• Use a host file redirector, most kids wouldnt figure this out untill they get real smart and if they are that smart they are beyond you trying to control them with just software. Blocks Ads-Mal-X or Porn
• Use free services like openDNs which are a bit more easy to deploy
• set your firewall to use that DNS then dont allow 53 out of your network (53=DNS) and then people CANT use internet with out some more serious hacking.
• most all opesource firewalls include some ability to do the same things for blocking sites, some will even replicate what netgear etc will do and put a “block list” of words into your layer7 traffic. So if you go to a site that contains the word “boobs” it will disallow the request. (see your hardware for how to do that, as this is about free things) Just learn to leverage what you likely allready have
• these methods can all be used to block social network sites if wanted
• Tip: remember to remove the hosts file from the recent open files list, and use notepad to edit it so that you dont leave tracks of what you did.
• Time restrictions of internet use
• Kids hate homework they like myspace
• Most all opensource firewall will allow a time browsing option, the pfsence firewall will allow you to require a login like at starbucks and only allow you for a ammount of time in a time block. or you could charge your kids
• a lot of consumer routers (things you buy at bestbuy) also have this feature use what you got!

So Remember– The security of your children is also your security. The tips here are also tips for you. The more you talk about it and let them use the tools and sites they want the less they will fight you and hide things. A opensource relationship is one where everyone learns.

And no I have no children, this is all assumptions.

This document is a work in progress right now, give feedback if you think of other major issues that you have with kids or know of with kids using the internet. I will make a new section and blather on about it.

So every internet user in the world knows about google, hell I couldn't do my job without google and even go as far as to put a line item on my resume saying “proficient with google search to accomplish tasks”. Its the best home page as its simple, (unless your dave who uses yahoo). Its white like macintosh hardware so people think its cool. They have sharable calendars, documents, pictures, You Tube, etc etc etc etc etc.

But is google really all that the ibook users crack it up to be? I don't think so, I have long been afraid of google and the masses that flock to it like crows to a bigmac in the street.

lets start off with The Good, google is an amazing search engine, its clean and they have the best user interface of any search bar none. (considering the top 4 not the little fish rip off’s of google UI) google has a search bar that is handy and youtube is social marketing for the future. see any fanboy for further good, as this post isn't really about the good.

RSS reader, this is one of the tools that I think google has that is actually very handy, as my RSS isn't private information and I dont care what marketing information can be gathered from it its the best reader I have used, and its free! a cool trick I just found was to look at your stats, see here is the day of week I read blogs as well as the number of subscribers to feeds in google. Notice that Katie has 5 readers in google… cool.

The Bad gmail, seriously. why do people think its the wave of the future, I think because one reason, it was invite only at the start. exclusive club email only, awesome way to make people want it. but in the end, you have all your email up on a search engine. in subject view only. what if you want to sort or folder your email, oh you cant, you can search or tag. but the idea of the subject view has been around since outlook 97.

The ability to share information, we all know of google hacking, put this into your search… filetype:txt "enable password" but the information isnt stopping at what you have on your webserver any more, your employees synch your office applications with google to make the iPhone blah blah, and release your corporate information.

need I say More? (i just found this while looking for fun info)

I was looking at google documents, it appears that there is no easy way to search however I will research more and post up, however this is not cool. yes store your personal info on google, sounds like a great idea.

The Ugly google is comming out with new applications every day to take personal information from users, I wont even get started on the google browser, or cell phone. I will focus more on some fun things that caused me to write this blog post. might be FUD but all the same it has merit.

I dont know if you have seen googles new enhancements to picasa, just like myspace etc you can now tag people in pictures just to help out the search engines find you by text, but google didn't stop there. You can put the tag to the award winning google earth to locate where they are at. Nice. (more on that award winning app later) we also know from prior that you can search for only faces in image search by adding the &imgtyp=face to your URL

Sure thats a nice example but really, how good is it… here is a nice video on how you can play with it and whats so scarry about all this? well if you dont care to mess around with the account to test the facial software, check out the new line of Sony Cameras with “smile shutter” Im not sure if sony released v2 of this, a lot of reviews online are bad, however I just got back from best buy, where I played with a camera for about 30 min in the store it works perfect. I was scared that its so good in consumer 170$ camera.

So whats to worry? well lets just consider this math equation.

  +  = the largest database of oh shit.

and one last ugly I will leave on, if you didn't think I had a point with the rest…

thats great google, keep a large database with info that I would like to have in a search engine company.

here is a fun hack for website robot.txt files.

site:google.com "robots.txt" "disallow" filetype:txt

run that in a search string and you will get back the disallow strings for forced browsing, you can drop the site: modifier to get more data or change it to your target site.

Here is a cool tool (OWASP WegGoat) that will test you on your hacker skills, from 31337 to nub3 you can see where you rank, I got to the last 4 modules and I didn’t have the skillz to continue (mostly the time to keep going)

I strongly recommend that if your interested in security / web security that you check out this project and run around the site to get learned. BTW a lot of my browser plug-ins will help you pass the quizzes.

Other things to hack, wargames, de-ice distro

I wanted to make a list of browser plug-ins that I use and find quite important to security and daily ops work.

First, for IE (I accidently upgraded to 7.0 and didn't feel like un-installing the behemoth)

• Bayden Systems' TamperIE offers HTTPS form-tampering
• sort of a mac-daddy tamper application to change your post data on the fly, must have.
• Microsoft's IE Developer Toolbar
• Change values on the fly also get header info and more right away
• Microsoft's IE Powertoys for WebDevs
• was cool but appears the highlight and show source dont work with IE7, however still works for DOM data so I keep it.

Now the giant list for FireFox (where all the 31337 users are)

• AdBlockPlus
• This is like going from dial up to DSL, the internet all the sudden becomes “sweet”
• BlogJet
• This is also in my IE, its my blogger application
• DOM Inspector
• handy for webdev and de-construction
• DownloadThemAll
• I dont like to click and this is a price-less tool for saving clicks.
• GoogleBrowserSynch
• I dont like how big google is and I dont like the idea of google watching what I browse, this was just an interesting tool since I am on lots of computers, I just dont have the guts to sign-in yet.
• GoogleToolBar
• this is a must, duh.
• HttpHeaders
• handy for webdev and de-construction
• ModifyHeaders
• handy for webdev and de-construction, and user-agent mods
• NoScript
• The only “security” leo laporte knows with out steve giving him a script. Handy for hacking things.
• RefControl
• spoof the referrer to the server.
• PDF Download
• sometime I like to download pdf’s sometimes I like to view them live, this lets me choose.
• Tamper Data
• same as TemperIE but for zilla
• ULRParms
• Different type of TamperData type plugin
• User Agent Switcher
• mac-daddy agent switcher, here is my browser list in XML for import
• File Attachment: useragentswitcher.xml (9 KB)
• WebDev
• This tools is mostly a must for anyone, you can quickly shut on and off and mod parts of sites.

A “new” security threat that I thought was rather interesting. using cross site forgery, the idea is that if you have two browsers open, one is your bank the other is a hack-site. The hack site can use this idea to piggy back on your cookie and session to do things with your bank with out you knowing, How? well it would just send http post data (or get) in the back end of the browser. So whats this mean why do you care? If this takes off its nasty till’ people fix the sites you use. To not fall victim to this just dent flip browsers while your browsing, if you are on a site that you feel needs to be secure close out myspace.

Also the tool that I use for google hacking pay-sites, is the mozilla RefControl, which is the underlying idea with this hack

Today its time I pay tribute to what i wrote off as crap pop culture.

iPhone – aside from I think its a waste of a phone, the user input (the touch thing) is amazing. good job apple

YouTube – the ability for people to express art in video with fast delivery system and the ability for people to take others work and make it new.

HarryPotter7 – the ending was very well done, wonder if I should pay for a copy.

So some people started to really bust loose with the out of the box thinking on this one. You know how you will hit some networks where you can only get DNS? like wifi spots? Guest networks NAC subnets? Here is a little trick to get access to resources by using UDP53 add that to your pentest. The first link has source step by step hosting service and video on how to work it, the other two are just followup info.

skript kiddy help for DNS tunnel

description with code sample for the dns tunnel

full how to dns tunnel

The following trick will allow you to view some BBS services with out having to register, or some technical sites that require a log-in you might be able to access the data so you dont need to have accounts all over the intertubes. When this gets banned out just change to any other bots see the last bit of the post for all bot info I took from the dasblog source code.

alter your settings to the following:

User Agent: Googlebot/2.1
Compatible: http://www.googlebot.com/bot.html

You can do so in Opera with ease. Firefox offers an extension which is downloadable from the official website.

to set up the plugin, click on add, the name your 'agent" something like: google

in the description text box. For the "User Agent" field, put this: Googlebot/2.1 (http://www.googlebot.com/bot.html)

save it, then to acces the plugin, go to tools (next to help on the menu bar in firefox) mouse over Agent Switcher, and select google, surf away. A word of warning, some sites will ban you if they do an IP range check, or a reverse DNS check and your IP doesnt match that of their stored googlebot IP addy or DNS

For Internet Explorer you need to change registry entries.

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet Settings5.0User Agent] @="Googlebot/2.1" "Compatible"="+http://www.googlebot.com/bot.html"

Save this as bot.reg and execute.

To revert the changes back, you need the following:

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet Settings5.0User Agent] @="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

Save as nobot.reg and execute.

<UserAgents>
  <string>msnbot-Products/1.0 (+http://search.msn.com/msnbot.htm)</string>
  <string>MJ12bot/v1.0.8 (http://majestic12.co.uk/bot.php?+)>
  <string>ISC Systems iRc Search 2.1</string>
  <string>ichiro/2.0 (http://help.goo.ne.jp/door/crawler.html)>
  <string>Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)</string>
  <string>asterias/2.0</string>
  <string>www.adressendeutschland.de</string>
  <string>NutchCVS/0.7.1 (Nutch; http://lucene.apache.org/nutch/bot.html; raphael@unterreuth.de)>
  <string>Snapbot/1.0</string>
  <string>msnbot/1.0 (+http://search.msn.com/msnbot.htm)</string>
  <string>Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)</string>
  <string>Mozilla/5.0 (compatible; BecomeBot/2.3; MSIE 6.0 compatible; +http://www.become.com/site_owners.html)</string>
  <string>RufusBot (Rufus Web Miner; http://64.124.122.252/feedback.html)>
  <string>Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)>
  <string>Gigabot/2.0/gigablast.com/spider.html</string>
  <string>TurnitinBot/2.0 http://www.turnitin.com/robot/crawlerinfo.html>
  <string>Mozilla/5.0 (compatible; BecomeBot/3.0; MSIE 6.0 compatible; +http://www.become.com/site_owners.html)</string>
  <string>Sphere Scout&amp;v4.0 (beta) - scout at sphere dot com</string>
  <string>Gigabot/2.0; http://www.gigablast.com/spider.html>
  <string>msnbot/0.9 (+http://search.msn.com/msnbot.htm)</string>
 </UserAgents>

 So, how do you beat all 5 major types of cloaking?

1. Beat IP Delivery: Use Google Translate as a Proxy, translating from spanish->english even though the site is already in English.
2. Beat User-Agent Cloaking: Use the FirefoxUser-Agent Switcher to spoof as GoogleBot
3. Beat Javascript Detection: Use the Firefox Web Developer Toolbar to turn off javascript.
4. Beat Cookie Detection: Use the Firefox Web Developer Toolbar to turn off cookies.
5. Beat Referer Detection: Use the Firefox RefControl Extension to prevent referer from being sent.

Using these in conjunction can be extremely effective, even at pay-for-information sites.
Doing this may be against the terms of service of the site you are visiting. There are plenty of popular sites out their that cloak content which is normally only available to paying members. While these techniques work on those sites too, be careful.

Good browsing!

is hackable - thats funny. if this gets fixed basically your able to just enter a alert message into the url and have it pop up at the site. Only a laugh because the page is how to prevent this crap.

link (now dead)

Im sure RoadRunner DSL isnt the only ISP that will do this, however I stumbled across them as being particularly dumb. They list all the users on a home page and let you browse the personal sites, as well as gather assumed login names etc. simply google “@ .rr.com” to get regional areas such as HVC for Hudson Valley. then attach some data to the site and you get every home page there, that includes pages where people upload files, but think no one can see them but they nicely let you index browse. HTML 1.0 where they password stuff but you have no time out and retry is not delay. more importantly the google site:xxx.com trick where you can just search everyone for juicy data. here is some info to get you kicked off for about 1 hour of surfing fun. its like having a back door into angel fire site, all that blinking text fun.

http://home.nycap.rr.com/

http://home.hvc.rr.com/

http://home.cfl.rr.com/

 needless to say browse with firefox, who knows whats out there.

I love google stories if you search a word on http://images.google.com lets say like “kelly keeton” you will get some pictures of my blog. now in the URL bar at the top of the browser append the following… “&imgtype=face” with out quotes you will only get results with a human face. type=news will also return some unknown news value. That spat google had with the feds a while back was ironed out as long as they perfected the facial matching for myspace.com  (you can use this with any other google hacks like site: url: blah blah)

others are workign on the hacking for this, but this is a awesome use for social engineering to act like you know what a clients site looks like. Google Maps now has street view for various cities.

butt crack

this is all over the web but its sort of fun. google the following types of topics: specifically use google-suggest http://www.google.com/webhp?complete=1&hl=en and put in URLS you know of (example take a appliance you have and put in the /admin/blah.html and see if google will suggest it up.)

I stole the following list from another blog. But it will give you the idea of how suggest can be used to find things that people might have put online by accident.

• Axis Webcams: inurl:/view.shtml or inurl:view/index.shtml
• Cannon Webcams: sample/LvAppl/
• MOBOTIX Webcams: control/userimage.html
• FlexWatch Webcams: /app/idxas.html
• JVC Webcams: intitle: intitle:”V.Networks [Motion Picture(Java)]”

inurl:/view.shtml
intitle:”Live View / - AXIS” | inurl:view/view.shtml^
inurl:ViewerFrame?Mode=
inurl:ViewerFrame?Mode=Refresh
inurl:axis-cgi/jpg
inurl:axis-cgi/mjpg (motion-JPEG)
inurl:view/indexFrame.shtml
inurl:view/index.shtml
inurl:view/view.shtml
liveapplet
intitle:”live view” intitle:axis
intitle:liveapplet
allintitle:”Network Camera NetworkCamera”
intitle:axis intitle:”video server”
intitle:liveapplet inurl:LvAppl
intitle:”EvoCam” inurl:”webcam.html”
intitle:”Live NetSnap Cam-Server feed”
intitle:”Live View / - AXIS”
intitle:”Live View / - AXIS 206M”
intitle:”Live View / - AXIS 206W”
intitle:”Live View / - AXIS 210&Prime
inurl:indexFrame.shtml Axis
inurl:”MultiCameraFrame?Mode=Motion”
intitle:start inurl:cgistart
intitle:”WJ-NT104 Main Page”
intext:”MOBOTIX M1&Prime intext:”Open Menu”
intext:”MOBOTIX M10&Prime intext:”Open Menu”
intext:”MOBOTIX D10&Prime intext:”Open Menu”
intitle:snc-z20 inurl:home/
intitle:snc-cs3 inurl:home/
intitle:snc-rz30 inurl:home/
intitle:”sony network camera snc-p1&Prime
intitle:”sony network camera snc-m1&Prime
site:.viewnetcam.com -www.viewnetcam.com
intitle:”Toshiba Network Camera” user login
intitle:”netcam live image”
intitle:”i-Catcher Console - Web Monitor”

If your smart like me you realize what this image shows. If you log into google calendar you will have this new search feature, you will also notice what I searched for, you can be creative with the terms you use (I used passcode like conference call passcode) you now have a hacking trick or simply a great prank phone call method. – Idea spawn pauldotcom security podcast.

Social engineering at the best, also prevent this by NOT MARKING PUBLIC CALANDAR or just dont put secure information in google.

the internet speed test stite really got a overhaul. Its amazing

http://www.speedtest.net

I have about 30 Pod-Cast streams and I listen to about 2–4 a day regularly, I have evaluated a TON of them and my requirements are simple. They cant be dumb, Aim not a huge fan of TechTV because they tell you stupid things that i don't care about. So i try to not have casts that are like that. The other requirement is they are not slow. I don't want to hear a professor. Last i want updates in 3+ a month. Why? because security isn't a 1 month update. So here kicks off my list of security related Pod-Casts. the items in bold i feel are “essential” to your collection if your security minded. All of the podcasts can be found via Itunes search.

Blue Box VoIP – ok security related to Voip more focused on vonage and consumer then enterprise.

CNN video Daily – security includes the news so good to get a light dusting.

Crave Video – an OK review of hardware (non security)

Hack A Day – i jsut respect this site (non security)

InDigital – great video podcast about hardware (non security)

InfoWorld – good enterprise news source

MakeVideo – (non security) MakeBlog

Pauldotcom Security Weekly – great new age security cast

Security Now! – ok news for security the one host is lame.

Security Wire Weekly – good weekly news

This Week in Tech – mostly the people i dont like from other podcasts

Windows Weekly – ok news for windows.

new twist on the old amihotornot its version 2.0 and cooler.

http://www.wholikesu.net

This is a new internet browser, its VERY small VERY fast and has no ability to save settings, cookies, or cache. Way cool.

One problem they default all search to “browzar” search if your dev team searches blogs – add the ability to google please.

Edit:

I pulled the link because tere is too much proof that the browzar is in fact not that cool

this is a cool site, who knows if its free for good but the idea and streaming music is rad

music genome project

this is cool

http://dev.allredtech.com/fakename/

this web junk is worth blogging

http://www.zippyvideos.com/1178455231788206/rat

google is working on new search math to get rid of some of the cheats people use to up rankings. The cool thing is that you can test the new engine. cooler is my site is still at the top for the keywords i want people to find me with!

News

IP for testing

pair of IP addresses (66.249.93.104 and 64.233.179.104, for those who want a look)

Go seahawks

Do you Run Zone Alarm 6.0? add this to your hosts file ‘127.0.0.1 zonelabs.com’

cool google video

where are you?

mythtv .19 out soon!!

802.11n 600mb wi-Fi

bullshit that is the DOJ suing google they can suck it. people will always be sick and suing google because they wont play nice what a crock

my usual i hate the RIAA post

in the recent blog world at work it has become a trick to have the site ranking on google. what with Jon’s recent posting on ballcocks making him get hits for such a topic on google. You can always cheat and link up to larger blogs with a trackback to a site like zach braffs blog where you can go check out the new $imdb(chicken little) trailer, or hear him chat about some new movie he is working on.  its not listed in the google how to. but in my log’s appears to make a huge difference to site hits.

The google patent on how they site rank was posted and a clif notes of the article is posted here basically from corbis to st.ankybeer.com you should read this site if your a web admin.

so after my last post i wanted to read the Snicket books. went snooping around and found no downloadable copy. rats. but i found a cool page called Audible its basically a online audio bookstore, i chose to actually buy this because they offer a 14.99 a month subscription that comes with a mp3 player now i didnt need the mp3 player but oh well. however it was 12$ for shipping so that in hindsight would have been better spent elsewhere. you get one book and some daily news and magazines and such with that subscription. they have a nice looking selection and the new harrypotter book due out soon just as easy to get it for 14bucks as steal it. so…

now for the bad. if i didnt want to actually listen to this book i would unsuscribe right now and can this dumb web site. let me see what do i hate about them. is it the proprietary DRM software that not only takes up 100%