blog. KellyKeeton.com

Security for Soccer Moms

Kelly Keeton — Wed, 19 Nov 2008 22:59:59 GMT

I want to create a new presentation called Security for Soccer Moms. I was talking to someone at work who went to a PTA event and there was a “CISSP” there who knew a lot about security and children (uhh…) So I wanted to jot this idea down, so someone can steal it or I can just have some free hits for keywords of people looking for porn.

There are a LOT of resources on this topic and I will choose to look at the free ones. Sure there are the net-nanny products that stop you from looking at porn on the internet but they are all easy to stop when your kid gets smart, and lets face it who likes to pay for something that takes up memory on likely your home vista computer to make it run even worse.

So I present My list, I will add to it over time. I make this list in dedication to all the crazy people who have kids from high school allready… yikes.

The # 1 rule I have, untill you trust your kid -never allow a computer in a private area. (that has internet) I wouldnt reccomend it anyway keep your kids in view untill they are old and you trust them. or kick them out.

PREVENT SOCIAL ENGINERING

This is the most effective tool to keep your children safe from scarry assholes

Talk to your children about NOT using real facts of life, avoid putting what your dad really works for,

dont take a picture of your house address or link to it on google maps.
Dont publish your birth year, use a fake year.
Dont publish your own work history or keep it vague or mess up addresses for locations (I work at boeing in spokane)
Dont publish your last name, or put a inital only (harder to stop kids dooin this)
If you have rules about phones, publish only cell numbers that cant be traced by normals and watch your kids bills for strange 212 numbers.
Dont publish details on your school where possible
set up a email for your kids to use “on social networks” only (and monitor it)
Dont give dates when you will leave for vacation talk about it when you get home! (or I will just come steal your crap)

I think you get the idea – just mess things up a little change on your end causes a bad guy to keep moving to someone easy. In the end it all comes down to your parent skills, a parent that says “I dont want to look at my kids site to see what they are up to” haha then why are you reading this?? There is no privacy of a 7 year old on the internet, I dont care about your hippy views. Talk to your children why you monitor the activity and when they get older put a level of trust in them and dont monitor. If they screw up then kick some ass.
Want to scare yourself? Google your Children’s Names see what data is out there on your home, family, child…
Also remember LOOK at your kids social pages look at history etc to see if they use myspace etc (this also applies to you and linkedin)

Prevent MalWare

This is just a crappy fact of life now, its very hard to stop this with out tehncical controls.

Use a “safe browser” in a virtual machine, it works great and there are pleanty of bootable browsers (just download ubuntu) and have the kid boot up ubuntu live and use the internet. then whatever they mess up you just reboot to fix. But they still can use flash etc etc etc.
Use a host file redirector, most kids wouldnt figure this out untill they get real smart and if they are that smart they are beyond you trying to control them with just software. Blocks Ads-Mal-X or Porn
Use free services like openDNs which are a bit more easy to deploy

set your firewall to use that DNS then dont allow 53 out of your network (53=DNS) and then people CANT use internet with out some more serious hacking.

most all opesource firewalls include some ability to do the same things for blocking sites, some will even replicate what netgear etc will do and put a “block list” of words into your layer7 traffic. So if you go to a site that contains the word “boobs” it will disallow the request. (see your hardware for how to do that, as this is about free things) Just learn to leverage what you likely allready have
these methods can all be used to block social network sites if wanted

Tip: remember to remove the hosts file from the recent open files list, and use notepad to edit it so that you dont leave tracks of what you did.

Time restrictions of internet use

Kids hate homework they like myspace

Most all opensource firewall will allow a time browsing option, the pfsence firewall will allow you to require a login like at starbucks and only allow you for a ammount of time in a time block. or you could charge your kids
a lot of consumer routers (things you buy at bestbuy) also have this feature use what you got!

So Remember– The security of your children is also your security. The tips here are also tips for you. The more you talk about it and let them use the tools and sites they want the less they will fight you and hide things. A opensource relationship is one where everyone learns.

And no I have no children, this is all assumptions.

This document is a work in progress right now, give feedback if you think of other major issues that you have with kids or know of with kids using the internet. I will make a new section and blather on about it.

webslayer omg bbq

Kelly Keeton — Thu, 13 Nov 2008 18:00:17 GMT

I just found a new tool on OWASP site webslayer, this tool is only w32 right now, which bites but the tool is AWESOME!

the payload generator is awesome, as well as the complex rules you can quickly define to test a site. 31337

i did something im ashamed of

Kelly Keeton — Thu, 13 Nov 2008 07:50:10 GMT

I just make a facebook account. sigh… I jsut taught a class about how bad facebook is. However to teach the class better I had to know how bad it was, not just use my “big ego” and assume.

yes its bad.

The More you Know... Antivirus infecting Memory from network Share

Kelly Keeton — Mon, 10 Nov 2008 22:37:28 GMT

By default most major antivirus manufacture (I tested with symantec) will only scan viruses when they read or write to disk.

Meaning that they will not read viruses in memory by default with real time scan.

So, if you load up a binary with a virus on a UNC or map drive in your environment that you will then be able to load code into memory and AV cant see. (because you didn't read from your disk)

Apply the idea to this, take a virus that can stop AV (sality.ae) and run it via windows UNC on a system with default install. BAM infected, and you have AV installed with new def’s.

To prevent this you need to scan network drives for viruses, obviously this causes issues with network performance. However could save you until you get rid of a parasite/trojan virus in your network (or worse) most major vendors have a check-box for this.

Get Latitude Longitude From Google Maps

Kelly Keeton — Mon, 10 Nov 2008 22:28:21 GMT

ever have the problem where you have a location on google maps but you need the lat long?

simply click on the url (typically maps.google.com in your address bar)

replace with the following to get the lat long in a popup

javascript:alert(window.gApplication.getMap().getCenter());

Election 2008

Kelly Keeton — Thu, 30 Oct 2008 03:17:19 GMT

I opened up my netflix flyer today and in the part with advertisement had a ad for CNN. The Ad read “Watch History Unfold” sheesh, those jackals will enterprise on anything. I wonder how much Ad space will cost for election day coverage, in 4 years will we have remembered the commercials of Nov4 past?

I will tell you my prediction for watch history unfolding…

My prediction, for election 2008 is that something “crazy” will happen.

Voter data scandal, the data for voters will be tampered with, stolen, lost etc etc etc
Voting means nothing, america will vote for B.O. but J.M. will become the president because of electoral vote process.
We see attacks on people voting

glass half full, but hey, prove me wrong america. I would be happy with that.

vote for me as a write in, I will make recess longer and pop cheaper

Google, The Good, The Bad, The Ugly.

Kelly Keeton — Tue, 28 Oct 2008 18:14:54 GMT

So every internet user in the world knows about google, hell I couldn't do my job without google and even go as far as to put a line item on my resume saying “proficient with google search to accomplish tasks”. Its the best home page as its simple, (unless your dave who uses yahoo). Its white like macintosh hardware so people think its cool. They have sharable calendars, documents, pictures, You Tube, etc etc etc etc etc.

But is google really all that the ibook users crack it up to be? I don't think so, I have long been afraid of google and the masses that flock to it like crows to a bigmac in the street.

lets start off with The Good, google is an amazing search engine, its clean and they have the best user interface of any search bar none. (considering the top 4 not the little fish rip off’s of google UI) google has a search bar that is handy and youtube is social marketing for the future. see any fanboy for further good, as this post isn't really about the good.

RSS reader, this is one of the tools that I think google has that is actually very handy, as my RSS isn't private information and I dont care what marketing information can be gathered from it its the best reader I have used, and its free! a cool trick I just found was to look at your stats, see here is the day of week I read blogs as well as the number of subscribers to feeds in google. Notice that Katie has 5 readers in google… cool.

The Bad gmail, seriously. why do people think its the wave of the future, I think because one reason, it was invite only at the start. exclusive club email only, awesome way to make people want it. but in the end, you have all your email up on a search engine. in subject view only. what if you want to sort or folder your email, oh you cant, you can search or tag. but the idea of the subject view has been around since outlook 97.

The ability to share information, we all know of google hacking, put this into your search… filetype:txt "enable password" but the information isnt stopping at what you have on your webserver any more, your employees synch your office applications with google to make the iPhone blah blah, and release your corporate information.

need I say More? (i just found this while looking for fun info)

I was looking at google documents, it appears that there is no easy way to search however I will research more and post up, however this is not cool. yes store your personal info on google, sounds like a great idea.

The Ugly google is comming out with new applications every day to take personal information from users, I wont even get started on the google browser, or cell phone. I will focus more on some fun things that caused me to write this blog post. might be FUD but all the same it has merit.

I dont know if you have seen googles new enhancements to picasa, just like myspace etc you can now tag people in pictures just to help out the search engines find you by text, but google didn't stop there. You can put the tag to the award winning google earth to locate where they are at. Nice. (more on that award winning app later) we also know from prior that you can search for only faces in image search by adding the &imgtyp=face to your URL

Sure thats a nice example but really, how good is it… here is a nice video on how you can play with it and whats so scarry about all this? well if you dont care to mess around with the account to test the facial software, check out the new line of Sony Cameras with “smile shutter” Im not sure if sony released v2 of this, a lot of reviews online are bad, however I just got back from best buy, where I played with a camera for about 30 min in the store it works perfect. I was scared that its so good in consumer 170$ camera.

So whats to worry? well lets just consider this math equation.

+ = the largest database of oh shit.

and one last ugly I will leave on, if you didn't think I had a point with the rest…

thats great google, keep a large database with info that I would like to have in a search engine company.

Slurp Slurp USB to gather good data

Kelly Keeton — Tue, 28 Oct 2008 17:51:11 GMT

Im sure we all know of slurping by now but I just came across this site for windows command ninja skills. with that I took the time to update my slurp tool with some hacks I just didnt think about using. As well as some uses for NET that I didnt know about.

I have attached a copy of one of the slurp scripts I run, your milage will vary but you should get a lots of Ideas from it if you know whats going down. (I also just fixed that my server wasnt serving up batch files)

File Attachment: slurp.bat (14 KB)

load dos zip game into dosbox

Kelly Keeton — Sat, 18 Oct 2008 02:46:55 GMT

So I am working on a project that required me to get creative, I have about 10gb of DOS Games but they are in ZIP format, nice for storage but not easy to deal with on a emulator front end, who wants to unzip a thousand files. So I set to work to make this script that will run a zip file game for dosbox. I read somewhere that dosbox will mount a zip file but seems like it wont work in the sdl build I have for linux, so I built this...

File Attachment: ldDOSzip.sh (2 KB)

File Attachment: ldDOSzip.bat (2 KB)

I put up a DOS batch file, its a very basic convert from the shell, most parts work I think. I didnt actually test it. You will also need to download a unzip tool for the command line this is also expected to be ran in XP or greater as I dont know how far back some of the file and path variables go in msft land. comment back if you find any issue with the dosbox batch file for windows. I will fix it up.

I did fix up the fact that by default IIS wont server up a batch file.

clickjack wtf bbq

Kelly Keeton — Sun, 12 Oct 2008 01:20:31 GMT

sigh… is this the new bump key? I havent seen a hack get run into the ground by the media since the bumpkey… seriously are we just bored in the security news world?