November 1, 2007

New Foundstone Blog

Posted in Passwords, Patches, Risk Assessment, Security 2.0, Security Awareness, Security Governance, Security Program Development, Security Staffing, Social Engineering, Threats at 11:18 pm by jtbevis

Its about time!  Foundstone Professional Services has been added to the Avert Labs research blog.  So now the makers of all the free hacking tools are accessible online.  Check it out there are already some great posts. 

 http://www.avertlabs.com/research/blog/index.php/category/foundstone/

I’ve also added it as a Blogroll.

September 19, 2007

Data Leak! What Not to Do!

Posted in Passwords, Threats, What doesn't work at 1:11 pm by jtbevis

The other day I performed an external penetration test and obtained access using a default password (which is common) that was not changed.  Afterwards I began looking up statistics on passwords and here is one of the links that was listed on a regular Google search.

http://staff.washington.edu/krl/stats/pwc/

Amazing that someone would to this day post such information out on a public website.  Nice to know if this was my next external penetration target.  Wait it gets better!  Looking at the URL it was only obvious there had to be more so instead of going to the /pwc directory I modified the URL to go back one, which led me to these:

http://staff.washington.edu/krl/stats/ 

http://depts.washington.edu/ast/projects.old/

http://depts.washington.edu/ast/projects.old/pwedit.html

Thanks Ken for showing us all a perfect example of “What NOT to Do”! I especially enjoy the mention of the following:

  • Home directories /rc, /cg, /mailer

  • The mail server statistics that show me what appear to be system names and the number of entries in the etc/passwd file.

  • The large directory listing with a plethura of information

  • The nice picture of your license

  • A password hash U:4001     A:2B314469   N:noyd       P:MWlJQdaJvoxaE    G:15       C:6

Ken

Ken 

So why did I post this?

Two reason’s.  One, I have a blog. Two because sometimes the best lesson you can learn is by seeing the mistakes of others.  Of course I plan to send an email to Ken and show him this blog entry.  If there is any follow-up to the story I will post another message.

March 6, 2007

Enemy 1 & 2: Passwords and Patches

Posted in Passwords, Patches, Security 2.0, What doesn't work at 11:57 am by jtbevis

I could not help reading the Security 2.0 posts by Mark Curphey and I especially liked the Business Activity Monitoring discussion.  However, I see 2 major enemies that cause us pain every day and put organizations at great risk.  In my mind neither of these has been addressed properly.  

 

Enemy #1: Many internal penetration tests obtain the admin or root access by guessing passwords. 

Enemy #2: What do I say? Unpatched systems are an initial point of entry for many attacks both internally and externally.  Tools like Metasploit make it even easier.

   

Of course I’m not throwing out statistics, but I see first hand the results weekly.   One can only hope that the Security 2.0 solution addresses the problems with passwords and patches.

Follow

Get every new post delivered to your Inbox.