PHIN 2.0 Requirements


There are updated guides for anyone who does security compliance assessments of works with the Public Health Information Network (PHIN).  These were updated in June of 2007.  There are many changes from the previous 1.0 version guides.  For the new requirements guide see below.

PHIN Requirements 2.0

Extreme Social Engineering Paper


The PhishMe blog on building employee awareness to social engineering tactics was inspiring so I finally decided to put up a paper on this site regarding similar subject matter.

Extreme Social Engineering

Combating the Insider Security Threat – A Security Awareness Exercise

This paper has been developed to address the human factor of security and the apparent weaknesses within organizations due to employees’ lack of security awareness.  The purpose is to provide organizations a simple solution for increasing security awareness and combating other malicious insider security threats through a series of social engineering exercises. The document is available by clicking the name above or by accessing the “Papers” section of the site.  

PhishMe Blog Entry:

http://blog.phishme.com/2007/09/time-to-phish-your-customers/

Data Leak! What Not to Do!


The other day I performed an external penetration test and obtained access using a default password (which is common) that was not changed.  Afterwards I began looking up statistics on passwords and here is one of the links that was listed on a regular Google search.

http://staff.washington.edu/krl/stats/pwc/

Amazing that someone would to this day post such information out on a public website.  Nice to know if this was my next external penetration target.  Wait it gets better!  Looking at the URL it was only obvious there had to be more so instead of going to the /pwc directory I modified the URL to go back one, which led me to these:

http://staff.washington.edu/krl/stats/ 

http://depts.washington.edu/ast/projects.old/

http://depts.washington.edu/ast/projects.old/pwedit.html

Thanks Ken for showing us all a perfect example of “What NOT to Do”! I especially enjoy the mention of the following:

  • Home directories /rc, /cg, /mailer

  • The mail server statistics that show me what appear to be system names and the number of entries in the etc/passwd file.

  • The large directory listing with a plethora of information

  • The nice picture of your license

  • A password hash U:4001     A:2B314469   N:noyd       P:MWlJQdaJvoxaE    G:15       C:6

Ken

Ken 

So why did I post this?

Two reasons.  One, I have a blog. Two because sometimes the best lesson you can learn is by seeing the mistakes of others.  Of course I plan to send an email to Ken and show him this blog entry.  If there is any follow-up to the story I will post another message.