The WikiLeaks Security Issue – The Un-Political Side
In December of 2006, WikiLeaks came online and has been leaking sensitive documents on its site ever since. That is the case in the recent release of 250,000 classified State Department documents and the soon to be release of sensitive internal documents from a major U.S. bank that is causing an immense controversy on the political and information assurance community.
The political aspect is obvious to many of us, but the information assurance side reveals a scary situation. If the government, with all of its resources is having difficulties protecting sensitive documents, what chances do private companies have?
It is clear the government’s information security controls were not properly implemented to prevent the access and collection of sensitive documents. It was stated Private Bradley Manning who is currently in custody by the U.S. military for releasing classified videos early this year to WikiLeaks had access to the SIPRNET network for up to 14 hours a day. The SIPRNET is a classified network used by the Department of Defense, the State Department and the Intelligence Community to communicate Top Secret information. In the clearance world, just because a person is granted a Top Secret security clearance, does not make them privy to all top secret content. There is a practice called need-to-know which states you only need to know enough information to do your task. This clearly was not the case in the recent document leaks suffered by the U.S.
This brings another information assurance issue of concern to the forefront. Internal Threats — It has been stated the greatest security threat to an organization are its employee. Several organizations focus their resources on keeping out the external threat, when many in the information assurance industry agree there need to be equal attention to internal security as well. Employees are already in the system and familiar with many of the controls and how to circumvent them as well.
As a result of the recent leaks, The White House ordered restricted access to classified documents. Furthermore, players on both sides of the WikiLeaks issues are expressing dissatisfaction with various cyber-attacks. Those against WikiLeaks practices are conducting denial-of-service cyber-attack on the site and those who favor WikiLeaks are conduct cyber-attacks against sites that have tried to hamper their operations.
The bottom-line, implementing practical information security controls that will not impede business functions are a difficult task. A balance has to be in place as well as the proper security controls to mitigate security issues.
A Review of CEH Certified Ethical Hacker Study Guide by Kimberly Graves
The “Certified Ethical Hacker: Study Guide” by Kimberly Graves have gained considerable attention and popularity in recent years in response to the need for professional information security practitioners to increase their awareness in the techniques, tools and motives used by hackers. In doing so, the information security practitioner will understand what is needed to implement better protection for the corporate networks. The book has been used for more than just a tool to obtain the Certified Ethical Hacker (CEH) certification administered by EC-Council, but as knowledge source to better understand networking concepts, computer operating systems, hacking tools and hacking concepts. Graves has aided the information security community by releasing “Certified Ethical Hacker: Study Guide.” This book is the key to protecting the infrastructure and according to the author, “By learning the same skills and employing the software tools used by hackers, you will be able to defend your computer networks and systems against malicious attacks.”
The table of contents depicts an orderly and organized method to learning the subjects in the book. The book begins with introductory topics and builds to more advance concepts and techniques in later chapters. I appreciated the details provided in the table of content and how it served as an outline to perform penetration testing. In reviewing the list of detailed topics per chapter, it provided insight of the organizational structure and the progression of the book.
The body of the book consists of fifteen chapters, an appendix and glossary. Each chapter ends with a chapter summary, exam essentials, review questions and the answers to the review questions. I found the review questions to be extremely useful by testing my knowledge of key concepts in each chapter.
Chapters 1 through 3 offered a great introduction to the book as well as some key issues and definitions used in later chapters. Introduction to ethical hacking, ethics and legality (Chapter 1), gathering target information (Chapter 2) and gathering network and host information (Chapter 3). Although these chapters covered basic material, most readers including advance security professionals should find them useful as a refresher. I found the use of figures, diagrams and screenshots to be extremely effective in those chapters.
Chapters 4 through 7 discussed typical hacking attacks that are performed by hackers. System hacking (Chapter 4), Trojan, backdoors, viruses and worms (Chapter 5), gathering data from networks (Chapter 6) and denial of service and session hijacking (Chapter 7). The author covered key topics by providing definitions, concepts, tools and techniques on how to use the various hacking tools, then provided details on how to detect and protect against the attack implemented by those same tools.
Chapters 8 through 11 discussed additional hacking techniques that were less typical but common amongst hackers. These chapters encompassed hacking material relating to web hacking (Chapter 8), attacking applications (Chapter 9) and wireless network hacking (Chapter 10). In addition, the author also discussed non-technical attacks to physical site security (Chapter 11). I found these chapters to be very detailed in its content and found (Chapter 11) physical site security to be very informative due to the lack of concern often placed on the location where information security functions are being performed.
The final four chapters covered advanced and evasive hacking techniques. Hacking Linux systems (Chapter 12), bypassing network security (Chapter 13), cryptography (Chapter 14) and finally performing penetration test (Chapter 15). Many of the concepts from earlier chapters came into play on (chapter 15) performing a penetration test. Graves discussed the penetration testing steps that consist of the pre-attack phase, the attack phase and the post-attack phase. The subjects discussed in earlier chapters set the stage to successfully implement the penetration testing steps successfully.
Graves’ coverage of the subjects in Certified Ethical Hacker: Study Guide went far beyond a book to aid a person obtain a certification. It was written in a manner suitable for a novice interested in the information security field, to the seasoned information security practitioner trying to obtain additional information to assist in the protective and detective posture of the corporate network. This book is an important contribution to the information security community and will likely aid in producing knowledgeable information security practitioners in the future.
References
Graves, K. (2010). Certified Ethical Hacker: Study Guide. Wiley Publishing, Inc. Indianapolis, Indiana
Microsoft Issues “Cyber Monday” Security Shopping Tips for Consumers
Monday, November 29 will be this year’s Cyber Monday, the Monday following the Friday after Thanksgiving Day, and the second busiest online shopping day of the year in the United States. Cyber Monday is also one of the busiest online shopping days in the United Kingdom, Germany, and France.
For the millions of shoppers worldwide expected to shop online this Cyber Monday, Microsoft today issued the following security tips to keep their transactions and information safe:
1. Defend your computer with updated firewall, antivirus, and antispyware software and password-protect your wireless connection at home.
2. Create strong passwords for all online accounts, particularly those used for banking or shopping. A strong password is at least eight characters long and includes letters, numbers and symbols.
3. Look for https (“s” stands for secure) in the Web address (URL) and a closed padlock [ ] beside it or in the lower right corner of your browser.
4. Never make online financial transactions on a public or shared computer.
5. Consider the reputation of the company or website from which you buy.
6. Be cautious about storing your password, address, and credit card data on websites.
7. Give only enough information to make the purchase – be wary if a merchant asks for additional information like bank account information, social security number, etc.
8. Choose a safe way to pay like a credit or charge card that offers cardholder protection, or a payment service like PayPal, which shields your credit card number from sellers.
9. Print or save a copy of your order, including the confirmation number or e-mail message, as your receipt.
Microsoft also offers a number of free brochures for consumers on safer Internet transactions:
- Six Basic Rules for Safer Internet Transactions
- Is the Online World More Dangerous Than the Real World?
- Online Shopping Safety Tips
- How To Avoid Online Donation Scams
Source: TechNet.com
Apache Tomcat HTTP Server Directory Traversal
Apache Tomcat HTTP Server Directory Traversal
Affected System(s)
Operating System:
AIX 5.x
Description:
A vulnerability in Apache Tomcat HTTP server may allow for directory traversal attacks.
Recommendation:
The vendor has made an update available for remediation here:
Observation:
Apache Tomcat is the servlet container for JavaServlet and JavaServer Page Web applications.
A vulnerability in Apache Tomcat HTTP server may allow for directory traversal attacks. The vulnerability is cause by a misconfiguration of certain modules. An attacker could craft a special URL to view directories and files on the HTTP server without authorization.
Common Vulnerabilities & Exposures (CVE) Link:
CVE-2007-0450
IAVA Reference Number
2008-B-0018, 2007-B-0021
DoD Cyber Crime Conference 2011
SANS is pleased to announce that we’ve partnered with DoD Cyber Crime Conference 2011 to offer SANS two-day Metasploit Kung Fu for Enterprise Pen Testing course as part of the pre-conference training January 21 – 24, 2011 in Atlanta, GA.
Register for pre-conference training and the DoD Cyber Crime Conference 2011 by December 31, 2010 for the deepest discounts available. Pre-conference training is January 21 – 24 and the Conference runs January 25 – 28.
The DoD Cyber Crime Conference focuses on all aspects of computer crime and incident response including intrusion investigations, cyber crime law, digital forensics, information assurance, as well as the research, development, testing, and evaluation of digital forensic tools.
The goal is to prepare attendees for the new crimes of today and the near future. Speakers will discuss new approaches and new perspectives with the current movers and shakers in cyber crime.
Metasploit Pro Webcast with HD Moore – Recording Now Available for On Demand Viewing
Recently, Metasploit founder and Rapid7 CSO, HD Moore, conducted a live walk through of Metasploit Pro, the new commercial penetration testing tool based on the open source Metasploit Framework.
Whether you attended that session and would like a repeat, or you weren’t able to attend and would love to catch a glimpse of what Metasploit Pro has to offer, a recording of that session is now available.
Metasploit Pro is designed for security professionals in enterprises, government agencies and consulting firms who need to make network security testing more efficient in order to reduce costs. Unlike alternative products, Metasploit Pro improves the efficiency of penetration testers by providing unrestricted remote network access, and by enabling teams to collaborate efficiently. Metasploit Pro exceeds the functionality of Metasploit Express™ with support for security testing of custom Web applications, managing client-side campaigns against end-users, and additional evasion features.
