National Cyber Security Awareness Month - Top Ten Ways to Stay Safe Online

The Internet is supposed to make our lives better, and for most of us, that's exactly what it does. But the Internet has a dark side, and unless we take the proper precautions, this wonderful tool can end up causing us more harm than good.

October is National Cyber Security Awareness Month, and it's a good time to take a hard look how our online behaviors may be putting us in harm's way.
You don't have to be a computer genius to protect yourself online and you don't have to spend a lot of money. By following a few common sense tips, you can make the most out of your Internet experience, while protecting you and your family from online threats.

1) Protect your computer: The best thing you can do to keep the bad guys out of your computer is to use three inexpensive technologies: anti-virus software, anti-spyware software and a firewall. Some security companies provide all three in one easy-to-use package.

2) Protect your identity: On the Internet, your personal data (social security number, birth date, etc.) is extremely valuable and can be used against you. Keep it protected.

3) Protect your children: Children face unique risks on the Internet, and require unique rules and safeguards. Monitor your kids' online activities closely. There are many tools available to help you protect them from online threats.

4) Stay up to date: Those security tools won't do any good unless you keep them up-to-date. You should be able to set them to update automatically. The same goes for your computer itself. It should be set to automatically install security updates.

5) Email safely. Email is a favorite tool of online crooks. Even legitimate-looking messages can be scams. Learn how to filter for "spam" and spot the signs of scam emails.

Book Review: Build Your Own Security Lab

The Good

I have had this book on my bookshelf for a few months and recently, due to some textbook changes in my Windows Security class, I decided to read it. The book covers the usual ground you would expect, network hardware, virtual machines and various OS and network software.

The first chapter talks about getting used Cisco gear, to get IOS experience. Some information was mentioned about VMware, for installing operating systems to use and virtual networking.

After the first two chapters the author jumps into the various activities you can perform in the security lab. Each chapter included notes with a little additional information about the topics discussed in each chapter. At the end of each chapter is a list of "Exercises."

The Bad

I could tell in the first chapter that this book has been sitting on the shelf of the publisher for a while. I could also tell that the author had a hard time filling the 400+ pages in the book. When I got to chapter 2 "Building a Software Test Platform" and it mentioned ReactOS, Knoppix-STD, and Virtual PC, I knew things were going to get bad. The author goes into detail about installing and running ReactOS.

Security News Links

• NYC AppSec Infosec Conference Event - Summary


• Myths, Misconceptions, Half-Truths and Lies about Virtualization


• Malware Challenge begins October 1st!


• MindshaRE: WinDbg Introduction


• World's electrical grids open to attack


• BSQL Hacker - Automated SQL Injection Framework


• After Fake Blogs Come The Fake Forums


• (IN)SECURE Magazine Issue 18


• Fun with WiFu and Bluesniffing


• Maltego 2 and beyond - Part 2


• Modern Exploits - Do You Still Need To Learn Assembly Language (ASM)


• All Roads Lead To Rome

HowTo: Hack your DBT-120 to run in RAW mode.

Dre from TS/SCI Security wrote a post yesterday "Fun with WiFu and Bluesniffing." In his post he mentioned the lack of clarity on "how to" hack USB Bluetooth dongles due to the number of posts about problems. I posted in the comments that I have a D-Link DBT-120 Wireless Bluetooth 2.0 USB Adapter and hacked it to work in RAW mode. He asked if I could share how I did the hack on my Bluetooth dongle and provide the details. Here are the steps that I used to get my DBT-120 to run in RAW mode using the directions provided by Dr. Gr33n.

DISCLAIMER:
This post is provided for educational and testing purposes only. I am not responsible for any damaged BT adapters. I had issues trying to do this in BackTrack 3 VMware, so I used the USB version for this How-To.

REQUIREMENTS:
bt3final_usb.iso SHA1: 3aceedea0e8e70fff2e7f7a7f3039704014e980f
D-Link DBT-120 Wireless Bluetooth 2.0 USB Adapter I have a DBT-120 Rev. C1

UPDATES: I have been told that this procedure, using the 5x version of software bricks the dongle. Tom Bicer found a dongle recovery procedure on the Evil Genius blog. I have read that using the 5x software is a known problem so only follow this procedure if you have the 4x firmware.

DIRECTIONS:
Boot your BackTrack3 environment and after it's up and running connect your DBT-120. Follow the steps shown below.

CONSOLE:
bt ~ # hciconfig hci0 up
bt ~ # hciconfig hci0
hci0: Type: USB
BD Address: 00:17:9A:2B:45:2C ACL MTU: 0:0 SCO MTU: 0:0
UP RUNNING
RX bytes:217 acl:0 sco:0 events:0 errors:0
TX bytes:169 acl:0 sco:0 commands:12 errors:0
bt ~ # hciconfig hci0 down
bt ~ # dfutool -d hci0 archive dbt-120_backup.dfu
bt ~ # dir
Desktop/ airsnifferdev46bc4.dfu
dbt-120_backup.dfu
bt ~ # hciconfig hci0 up
bt ~ # bccmd psget -s 0x0000 0x02be
USB vendor identifier: 0x0a12 (2578)
bt ~ # bccmd psset -s 0x0000 0x02be 0x0a12
bt ~ # bccmd psget -s 0x0000 0x02be
USB vendor identifier: 0x0a12 (2578)
bt ~ # bccmd psget -s 0x0000 0x02bf
USB product identifier: 0x0001 (1)
bt ~ # bccmd psset -s 0x0000 0x02bf 0x0002
bt ~ # bccmd psget -s 0x0000 0x02bf
USB product identifier: 0x0002 (2)
bt ~ # hciconfig hci0 down
bt ~ # dfutool upgrade airsnifferdev46bc4.dfu
bt ~ # hciconfig hci0 up
bt ~ # hciconfig hci0
hci0: Type: USB
BD Address: 00:17:9A:2B:45:2C ACL MTU: 0:0 SCO MTU: 0:0
UP RUNNING RAW
RX bytes:217 acl:0 sco:0 events:0 errors:0
TX bytes:169 acl:0 sco:0 commands:12 errors:0
bt ~ #


CREDITS:

• Andre Gironda (Dre) from TS/SCI Security I would have never posted this if he didn't ask for clarification and proof that it was possible.


• Dr Gr33ns from Drgr33ns Blogs, Tutorials and Info. He posted directions and a video showing how to do this. I copied 99.999% of his work. I did this to show proof that his directions do work in my situation using my DBT-120.


• I would also like to thank all the bluetooth hackers that make this possible.

Bluetooth Headset Vulnerabilities Reminder...

As I find another one of my hands-free bluetooth headsets in the washing machine again (yes, again, I think this is #11 or #12) I wanted to remind everyone about the risks associated with using bluetooth devices.

With the new laws here in California that require drivers to use hands-free devices while driving, I'm starting to see more and more people using bluetooth. I see them on the road, in restaurants, at work (sometimes connected to work phones) and I wonder if the "wireless" freedom is worth the risk that comes with bluetooth.

Most of you know that bluetooth hacking isn't anything new. We all remember reading about celebrities cell phones getting hacked, and having all the contacts and SMS messages stolen. What I don't think we all remember is that were are all at risk too. With smartphones and PDA's becoming cheaper, everyone is getting one. I see teenagers to soccer moms with Blackberry's. I see students and business professionals with iPhones. Now you don't need a smartphone to have all your contacts and SMS data stolen. Any cell phone with bluetooth enabled is open for attack. What smartphones adds is the access to more sensitive and private data. All that useful information you keep on your smartphone or PDA? Well if you have bluetooth enabled it might be open to attack.

So as I sit here wondering if I am going to go and get another bluetooth headset, I'm thinking about about what I use it for and what the pro's and con's will be if I switched to a wired headset. Oh, and if you think that the only risk is someone stealing SMS messages from your spouse or you mom's phone number, watch this clip. That cool bluetooth headset is also a bug that can broadcast everything you say and hear even when your not on a call. All I have to say is forget Big Brother worry about that innocent looking guy with the backpack and PDA.

httpv://www.youtube.com/watch?v=1c-jzYAH2gw

I would like to know how many of you enable bluetooth and if your worried about privacy or data theft? Please post your thoughts and ideas in the comments.

Security News Links for 9/14

• What impact will the financial industry meltdown have on the security industry?


• VMWorld 2008: "Introducing Cisco's Virtual Switch for VMware ESX"...


• VMWorld 2008: Forecast For VMware? Cloudy...Weep For Security?


• Virtually excited about virtual IPS


• SQL injection taints BusinessWeek.com


• (Cancelled) / Clickjacking - OWASP AppSec Talk


• ?You can?t get the toothpaste back in the tube, so deal.?


• The Fallacy of Complete and Accurate Risk Quantification


• MindshaRE: Live Analysis Markup


• I used to know what you watched, on YouTube

10 things Gov. Sarah Palin has taught us about E-mail?

• When creating a free email account it's OK to lie. Never give your real information to anyone asking for it online unless its required.


• Use a strong password. Find out how long you can make your password, what characters are valid, and use something like KeePass Password Safe to manage your passwords.


• After you create the email account and create a strong password, save the false information you entered in your password manager. That way if you change your password, but don't save it in your safe, you have the false information you need to reset the password.


• Never use your email account for anything other then public communication. Don't forget once you hit send, you have no control over what others do with your email.


• Never leave email on the server. Either download it to a computer or delete it. Why would an attacker go after your computer, when they can attack your email. Ever do a search in your mailbox for keywords like "password", "login", or other sensitive information? You will be shocked what you might find.

Security News Links for 9/7

Here are this weeks Security News Links for the week of 9/7.

• ?Statement of fees? malware


• SCADA Exploit Gets Metasploited


• WASC Web Application Security Statistics 2007


• Risk Managers Are Just Like Security People


• reDuh - TCP Redirection over HTTP


• Improving Google Chrome


• Rogue SF sysadmin may cost city over $1m


• CSRF Vulnerability in Twitter Allows Forced Following


• Brief: Hackers defaced collider site, say reports

A lot of good information was released this week. Since the point of my Security News Links is to be brief I left a lot out. I would like to know what you think about my Security News Links series and if you have any feedback on any of the news links posted.

What security programs would be on your dream Live-CD?

I was going to write a post about Samurai Web Testing Framework but someone already beat me to it. It's a good post so I wanted to pass along the link. I really hate seeing the same topic covered the same way over and over again.

Instead I am going to talk a little about the idea of making your own Security Live-CD. Samurai WTF was the first Live-CD I have used that was built on Ubuntu. I have been using Ubuntu since 5.04 and was really happy to see a familiar GUI. I noticed that all Samurai WTF was essentially, is Ubuntu with a bunch of cool web pen-testing programs preloaded and Firefox preloaded with some cool web pen-testing add-on's and the best themed Live-CD bar none.

This got me thinking about an article I read earlier this week at Linux.com about a program called Ubuntu Customization Kit (UCK). With UCK you can take an existing install of Ubuntu, Kubuntu, Edubuntu or Xubuntu and create your own pre-configured Ubuntu Live-CD. Just like Samurai WTF and even BackTrack (except BT uses Slax).

New Addition: Security News Links for the week of 8/31

I read a lot of security news feeds during the week. So I thought it would be a nice addition to post a link list fo the posts I found interesting from the previous week. My goal will be to collect a brief list of links and them posted every Sunday morning. I want it to be something you can read through quickly while having your morning coffee. Please post a comment and let me know what you think about this new addition and the links posted.

• Rethinking the Desktop Model


• Google Chrome


• Let?s fix the Web


• Google Chrome DoS


• Best, Good, Standard Practices


• What do we call Twit Spam?


• Got Chrome?


• Zombie network explosion


• The Hidden Cost of Freeware: a Mind Changed

Book Review: Secure Your Network for Free (Syngress)

Last week I was visiting the local library with my family and decided to check out the computer books section. I wasn?t surprised when I only found about 30 books most of which were out of date. I would like to pretend all the good recent books were out on loan but I wasn?t sure. I was able to find a book that peak my interest.

Secure Your Network for Free by Eric Seagren. As you can probably tell from the title the book discusses Network Security using free, in most cases this means Open Source programs. On the title is grabs your attention by listing Nmap, Wireshark, Snort, Nessus, and MRTG.

Wipe and destroy your old storage...

Earlier this week I read a story on a hard drive bought on eBay for $65 that contained bank account information. I know this is a security topic that has been run into the ground about as much as the importance of strong passwords. But it seems some people and IT professionals don't get the hint. I have seen stories like this since early 2000, people buying old hard drives, for the sole purpose of recovering sensitive and private information.

If you have anything that can be used for storage you need to wipe it clean and then DESTROY IT!. The last thing you want to do with any storage device is to try and sell/give it away. I know some businesses lease equipment so you can't destroy it but you better wipe it and then wipe it again before sending it back.

This counts for iPods, digital camera flash cards, MP3 players, hard drives, thumb drives, whatever else you might use for storage. The reason I say wipe it all is because people seem to have a hard time remembering whether or not they did or didn't have sensitive or private information stored on various devices.

My personal practice is everything is treated like it has Top Secret information on it. I wipe whatever the media is a few times. Usually to DoD or NSA standards then go to my garage to play with some hammers and power tools.

If you don't know what you have stored on that old hard drive or thumb drive over the years, do yourself a favor and wipe it then destroy it. Same for CD-R and DVD-R media which in my case gets shredded.

I would like to know what your process is for discarding old storage media. Please post your experience and tips in the comments.

reDuh - TCP Redirection over HTTP

Have you ever wondered why free web host don't give you ASP/JSP/PHP access? Here is one really good reason. SensePost reDuh is a dynamic web page that can be used to bypass a firewall when you upload the reDuh dynamic web page on to a web server. It allows you to connect to the web page, then build a TCP circuit to reach the nodes inside the network.

Think web site defacement's are bad for your companies image? Imagine someone using something like this to have full access into your companies network. I'm going to test this when I have the time but I thought if some of you hadn't read about this presentation at BlackHat I would share it with you.

Make sure your web servers are hardened and that your firewall is properly patched and configured to monitor both ingress and egress between the world, your web server, and your company intranet. Remember defense-in-depth is a process not a bullet proof plan. Also make sure your other intranet systems are patched and monitored.

I'll post more when I have more time with reDuh. If you have already tested this tool I would like to know what you think in the comments.

OpenVAS (Open Source Vulnerability Scanner)

This mod I'm teaching the last class, a capstone if you will, in the Network Security series. We had a discussion a few weeks earlier about vulnerability scanners and Nessus was one my examples. I had a few students and faculty inquire about whether Nessus would be a worthwhile purchase. I said that it depends on a lot of factors and I wouldn't be able to make that decision. But if they wanted to try a Nessus "like" program for free to checkout OpenVAS.

I had only learned about OpenVAS a few weeks ago when I was doing research on current trends for my lecture. From the About page it's a fork of Nessus before it went closed-source. I imagine it's like Nessus in the way CentOS is to RedHat.

It's on my long list of programs to try but I would suggest anyone with a lab setup to give it a shot. I don't know the quality of the program but I know from experience sometimes the open-source fork's can be as good or better then the original product.

If you are using OpenVAS or have tried it, I would really like to get your feedback on it. It seems fairly new so I wasn't able to find much about it. Please post in the comments if you have experience with Nessus and OpenVAS well enought to give a comparison.

Can you say knee jerk reaction?

I know since the DNS vulnerability that was announced a while back a lot of people have been making plans to move to DNSSEC. Well now the government has set a mandate to move all the .GOV domains to DNSSEC.

I am all for DNSSEC because at this time it is the best working model to reduce the risk that threaten traditional DNS. My concern is how is this "mandate" going to be implemented? DNSSEC is not a simple task to deploy. I can't imagine that anyone is claiming this won't be a major undertaking. You have the RRSIG, the DNSKEY, the DS, and the NSEC which are all new records that need to be created and validated. In addition to the control of the private key used for signing.

InfoSecEvents has more about the top level .GOV domains moving to DNSSEC here. I would like to know if your company is considering going to DNSSEC so please post in the comments your views.

I really think DNSSEC is a good logical next step but I worry about this being more a "knee jerk reaction" rather then a well laid plan. I would like to know what your thoughts are on DNSSEC? Please post in the comments.

Google Chrome

I downloaded Google Chrome earleir today and so far I really like it. The only real use for it I would have at this time would be as a wrapper for my Google services like Gmail and Analytic's. For those that want to know about the security side check out this post from RioSec on "Google Chrome Security First Look." It's to early to say, but I think based on first impressions Chrome looks like a step in the right direction for security. This is Googles first BETA release so I would still consider it ALPHA until a few updates are released. I guess it's nice they planned ahead for that. It seems everytime you launch Chrome it checks for updates. We will also need to wait and see how the third-pary plugins are added in the future. This will also have a significant impact on the security of the Chrome browser. I posted yesterday about the thread of thrid-party plugins after the IBM ISS X-Force mid-year report which you can read about here.

If your one of the brave few who also jumps in early let me know about your experience with Google Chrome in the comments.