Nicholson Security

Legal: Privacy Lessons from the Twitter Breach

noreply@blogger.com (tnicholson) — Tue, 19 Oct 2010 19:54:00 +0000

Earlier this year Twitter was hacked. Below are three recommendations from the FTC that would apply to most businesses.

Three Steps to Protect Your Business

What can you do to protect yourself from the FTC and claims by your users?

Read your privacy policy. Many website owners do not know what their privacy policy requires them to do. You must understand what your privacy policy says and what it is requiring you to do.

Develop an internal policy. You should have an internal administrative policy that all employees should follow that address storage, use, types, and periodic changes of passwords. Also, it should address use and access of personal information collected from the users and where that information is stored.

Disclose uses of data collected. Address in your privacy policy how you plan on using data collected, including the following points:

Individuals should be clearly advised of the type of personal data being collected;
The intended uses and users of personal data should be identified;
Describe the security measures intended to protect the personal data from unauthorized access;
Describe a means through which users can review their personal data and correct or contest it;
Special measures need to be included for personal information of children if it is collected. Companies that collect data from or about children should provide a means through which parental authorization will be obtained.

This is not an exhaustive list of items and you should review your privacy policy with “standard reasonable security practices” in mind. You should periodically review and audit your procedures to see what is working and what is not working. You should determine if you are continuing to consistently do what you said you would do in your privacy policy. Also, if you share any user information with other companies, you should have contracts with those companies requiring that user information be protected at a minimum under your privacy and security measures, and limit use of the information.

You can read the full article here at Practical eCommerce: http://www.practicalecommerce.com/articles/2321-Legal-Privacy-Lessons-from-the-Twitter-Breach-

SecurityTube.net - Metasploit Megaprimer- 300+ mins of video tutorials

noreply@blogger.com (tnicholson) — Tue, 12 Oct 2010 18:11:00 +0000

Vivek has posted a megaprimer on Metasploit on his video blog SecurityTube.net. The info below was taken from The Ethical Hacker Network form found here: http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,6158.0/

Note that this series is still in progress and you can keep checking for the latest videos on SecurityTube http://www.securitytube.net

Below are the video links and a short description:

1. Metasploit Megaprimer (Exploitation Basics and need for Metasploit) Part 1

http://bit.ly/b2Y2pE

2. Metasploit Megaprimer (Getting Started with Metasploit) Part 2

http://bit.ly/bLgTOm

3. Metasploit Megaprimer Part 3 (Meterpreter Basics and using Stdapi)

http://bit.ly/9sjqqH

4. Metasploit Megaprimer Part 4 (Meterpreter Extensions Stdapi and Priv)

http://bit.ly/97f1U3

5. Metasploit Megaprimer Part 5 (Understanding Windows Tokens and Meterpreter Incognito)

http://bit.ly/anbODH

6. Metasploit Megaprimer Part 6 (Espia and Sniffer Extensions with Meterpreter Scripts)

http://bit.ly/c4A4Eg

7. Metasploit Megaprimer Part 7 (Metasploit Database Integration and Automating Exploitation)

http://bit.ly/bT1uD5

8. Metasploit Megaprimer Part 8 (Post Exploitation Kung Fu)

http://bit.ly/dicJzI

9. Metasploit Megaprimer Part 9 (Post Exploitation Privilege Escalation)

http://bit.ly/asr1ML

10. Metasploit Megaprimer Part 10 (Post Exploitation Log Deletion and AV Killing)

http://bit.ly/bvCudb

11. Metasploit Megaprimer (Post Exploitation and Stealing Data) Part 11

http://bit.ly/auwtBm

12. Metasploit Megaprimer Part 12 (Post Exploitation Backdoors and Rootkits)

http://bit.ly/a7n8nw

13. Metasploit Megaprimer Part 13 (Post Exploitation Pivoting and Port Forwarding)

http://bit.ly/9mOztm

14. Metasploit Megaprimer Part 14 (Backdooring Executables)

http://bit.ly/bZxwgK

15. Metasploit Megaprimer Part 15 (Auxiliary Modules)

http://bit.ly/du779R

16. Metasploit Megaprimer Part 16 (Pass the Hash Attack)

http://bit.ly/d7bdZi

Please do let me know your feedback!

Everything you wanted to know about getting and keeping security clearance.

noreply@blogger.com (tnicholson) — Fri, 30 Apr 2010 14:20:00 +0000

How many times have you found an actual security related job posted on the Internet only to read in the following requirements:

"Currently hold a Secret Security Clearance or higher"

"Candidate must be a U.S. Citizen and have the ability to obtain a Security Clearance if one is not currently held. Current Ts/SCI Security Clearance is a plus."

If you're ex-DoD, you might meet that requirement. If you're an experienced security professional, you might have had a company pay for you to get security clearance along the way. But if your a transplant or new grad you're stuck.

This isn't just a requirement for DoD, which is one of the largest employer in my area, but also for private industry. For example we have a lot of Pharmaceuticals and High Tech companies that require security clearance as well.

The question I get from frustrated friends and students is how do I get clearance? My usual answer is find a company to sponsor you, as it isn't cheap. But this morning I found a handbook that explains how to obtain, keep and re-activate (if you had it and let it lapse) security clearance. You're still better off finding a company sponsor but this will give you an idea of the process.

This Security Clearance Handbook 2010 (pdf) was assembled by the University of Fairfax. I would go into more detail about the contents of the handbook, but then would would be the point of linking to it. This handbook should answer most of the questions you have about security clearance.

If you have experience obtaining, maintaining, or re-activiating your security clearance and you would like to share your experience, please post in the comments.

Programming Paradigms at Stanford

noreply@blogger.com (tnicholson) — Mon, 12 Apr 2010 15:00:00 +0000

Ever wonder what happens when you assign a value to a variable? No, I mean like where is it in memory. What does the binary string look like? What is the difference between an int and a short that are assigned the same value? Well, I guess I'm the only one that does but if you do to check out the Programming Paradigms class lecture video's from Stanford. They're really good and cover all the details. It's a little fast paced for me so I usually play the videos over two or three times but they have lots of great information in them. Not anything language specific but they cover stuff relevant to Assembly, C/C++, Python, etc.

Yet another URL shortening services...

noreply@blogger.com (tnicholson) — Fri, 19 Feb 2010 15:37:00 +0000

I've commented on other posts on this site about the security issues with URL shortening services. My main issue is that you don't know what clicking that link could mean from a security stand point. With all the client side attacks going on, clicking on anything should make you weary.

When I learned of ShardyURL.com on Twitter a few days ago I thought it was great. ShadyURL is yet another URL shortening service but with a "suspicious and frightening" naming convention. For example I created a link to this post and it came out as http://5z8.info/toosexyfortv.mov_x4a8y_stalin-will-rise-again

Now if I need to use a shortening services(which this doesn't really shorten it might actually make the new URL longer than the original one)I'll use ShadyURL.

Buzz Killer (Disable Google Buzz)

noreply@blogger.com (Thomas Nicholson) — Thu, 18 Feb 2010 22:13:00 +0000

Google has now added a way to disable Buzz from the settings area in your Gmail account. Once in the settings area select the last tab Buzz and click on the red "Disable Google Buzz" link.

A confirmation window opens asking if you would like to "unfollow" on Buzz, Reader and other Google services. This option is enabled by default so be careful.

I didn't notice that and now I've lost all the folks I was following in Reader. Maybe its time I find another RSS reader. :/

Moved my blog to a new host.

noreply@blogger.com (Thomas Nicholson) — Tue, 16 Feb 2010 17:28:00 +0000

If you noticed a change on the site or had some DNS issues the last 24 hours, it was due to me moving my site. Everything should be working now although some posts where hurt in the migration of this blog. If you find something broken please let me know.

It's been a while since I made the time to write. But I'm starting to cut back on all the extra stuff that has been eating up my time the last several months. I plan to start writing more frequently and also post some more video tutorials.

If you have any tips on how I can make this site better please feel free to email Thomas at Nicholson Security and thanks for stopping by...

What does being a "security professional" have to do with security?

noreply@blogger.com (Thomas Nicholson) — Wed, 23 Sep 2009 19:05:00 +0000

Yesterday I read this article on CSO Online entitled "7 Ways Security Pros DON'T Practice What They Preach." I knew by the title that I was going to have issues. Information security is about the confidentiality, integrity and availability of data NOT job titles. This is like pointing out oncologist doctors who smoke or law enforcement officers who get speeding tickets. People are people not job titles. When I read through the "7 ways" I didn't see anything that didn't apply to everyone else. The article read as if someone who is a security professional is different then another employee with security awareness training.

Also when discussing security you need to remember that nothing is 100% and so we have to pick our battles. My favorite was the hit on URL shortening services. These services are very popular with the Twitter crowd due to the limited number of characters allowed. They seem to think that clicking on a hyperlink that says "tinyurl.com/83jd9" is less safe than clicking on an hyperlink that says <a href="evilurl.example.com">Free Windows 7</a>.

The issue that I've written about several times has to do with educating everyone "Security Pro's" and "Joe/Jane User." Also knowing what data we need to protect and how to protect it. Maybe the person clicking on the TinyURL link is running a browser in a sandbox on a hardened host. Odds are even a malicious link won't cause any harm.

Complicated fads and false promises are not the solution. I think we have all learned that security professionals are human and creatures of convenience like the rest of us. As its been said time and time again. Security that is anything but simple and transparent isn't going to work. If you want us to encrypt our storage devices then you'll need to make it work like the unencrypted storage devices we have today. If you want us to use strong authentication. It will need to be easier then the passwords we use today.

Bottom line is that like everything else security should make our lives easier not harder. We shouldn't need two sets of standards one for security professionals and one for none security professionals. Security should be "built in" and an effect not a cause.

It's about the data not the technology.

noreply@blogger.com (Thomas Nicholson) — Wed, 05 Aug 2009 15:16:00 +0000

I was asked about the best way to secure a computer yesterday and caught myself going into a list of security software, hardware and best practices, when my answer should have been a follow up question. What kind of data do you want to protect? We so often get caught up in all the cool security technology that we forget the reason for the technology is to support the goal of protecting our information.

When I started in computers in the 90’s I built a few custom systems for various people and businesses. My first question was always the same to both groups. What do you plan to use the computer for? After I got that question answered, I could ask the right questions about software and hardware to give them the “solution” they needed.

I think we need to make more of an effort to get back to that. I think the first question that should be asked of anyone, individual or business, is what kind of data do you plan to store, process and transmit? After knowing the answer to that question can we then start to ask the right questions about software, hardware and recommend the right “solution” to customers.

I know that sometimes the right questions are asked. I know that many businesses and individuals are doing the right things when it comes to security. My question is how do we get everyone else on board? Vendors sell solutions. The problem as I see it is nobody bothers asking the right questions, thus nobody knows the right "solution" for the customer.

Let me know what you think in the comments.

Secunia PSI now inspects browser plugins for secure browsing.

noreply@blogger.com (Thomas Nicholson) — Fri, 29 May 2009 08:21:00 +0000

Late last year I wrote a post on Secunia PSI, which is a free program (for personal use) that will inspect all the software installed on your Windows system and provide a report on what applications installed are insecure, assuming a fix is available. I've been suggesting PSI to friends, family and students for sometime but yesterday Secunia release a new BETA.
The latest BETA from Secunia has added a “Secure Browsing” feature. Here is the description found on the Secunia blog.

Secure Browsing
Secure Browsing is without a doubt one of the most important aspects of online security. If your browser (Internet Explorer, Firefox, etc.) or its plugins (Adobe Flash Player, QuickTime, Sun Java, etc.) is vulnerable, then you're exposed to security threats every single time you visit a website. This is a fact that can't be disputed.

A new feature in the Secunia PSI, called "Secure Browsing", is here to help.

We know that keeping track of your installed browsers, browser plugins, and programs that integrate directly with your browser can be very difficult.

The "Secure Browsing" feature tell you what programs and plugins are integrated directly with your browsers - it is extremely important to know that it’s not just your browser you start up and expose when surfing.

As an additional bonus, the "Secure Browsing" feature also includes information about unpatched vulnerabilities. Vulnerabilities where the vendor has yet to react and create a proper solution to a known security problem.

I think this is a great new feature to add to PSI. In addition to keeping your installed client-side applications secure Secunia PSI can now help you keep you Web Browsers secure as well.

I pulled down the latest BETA yesterday and so far I’ve been happy with it. So if you are already using PSI, I would suggest upgrading to the BETA and if you’ve never use PSI now might be a great time to start.

Download the free Secunia PSI 1.0.0.5 BETA:
http://secunia.com/PSISetupBeta.exe

DIY CISS Degree: 100 Open Courses on Computer Information Systems and Security

noreply@blogger.com (Thomas Nicholson) — Tue, 12 May 2009 18:59:00 +0000

I was sent an email today by Kelly Sonora about some free open courses. I was familiar with the MIT Open Courses, when they started offering those several years ago, but the other schools were new to me. Shown below is a list of the "Security" related courses. The complete list includes courses covering numerous topics including but not limited to databases, web development, business management, law, and more. So if your looking for some formal academic training, I would suggest you check these course out.

Security

Network and Computer Security: Through this course, students will learn to create secure multi-computer networks, encrypt data, use security monitoring software, access risk and much more. [MIT]

Selected Topics in Cryptography: If you’d like to address some of the more advanced issues in cryptography, this course is an ideal way to do so. [MIT]

Cryptography and Cryptanalysis: Check out these courses for a great introduction to the modern uses of cryptography. [MIT]

Advanced Topics in Cryptography: Focusing on topics like interactive proofs, zero-knowledge proofs, secure protocols, and two-party secure computation, this course will help you take your cryptography studies to the next level. [MIT]

Introduction to Information Security: This course is a very basic introduction to the reasons and methods for securing confidential information. [OpenLearn]

Network Security: Beginners can learn the basics of network security through this course. [OpenLearn]

Hyper-Encryption by Virtual Satellite: Watch this video lecture to learn about the role satellites may play in encryption and the failings of many present methods. [Harvard@Home]

A Worldview through the Computational Lens - Part III: Cryptography: Secrets, Lies, Knowledge, and Trust: Those interested in the role of computers in the modern world will enjoy this lecture that focuses on the benefits and problems associated with digital security. [Princeton]

As someone who takes pride in being a lifelong learner, I would also suggest those looking for more resources checkout iTunes U. They have a small collection of "security" related courses that are free for download. Again these are all from an academic perspective, but unlike professional "just the facts" type classes it never hurts to have a solid foundation of the fundamentals to build upon.

If you have additional resources for quality "security" related training please post them in the comments.

Compliance mandates shouldn't be your companies security baseline.

noreply@blogger.com (Thomas Nicholson) — Thu, 19 Mar 2009 21:54:00 +0000

This week I started teaching a new session of classes. One of the classes I'm teaching is on ethics, policies and procedures. The objective of the class is to teach students the ethic's associated with network security. The process of developing policies including standards and guidelines in addition to the procedures that go with them. No matter what I do I always feel like the class turns into a business/psychology type of class rather then a network security class. I guess that because the the reason for policies and procedures is because of users and the need to protect company data.

The first part of the class we focus on policies. One of the items we discuss is where do these policies come from. We all know that the mission of any business is to make money. So if security is a cost center, then how does a business decide what money it will spend on security? Well one motivator for businesses to spend money is to meet compliance mandates. This comes back to a business will not spend money on something unless it has to by law or because it provides an ROI.

The ones we focus on in class include PCI/DSS, GLBA, HIPAA, FISMA and ISO 27001/27002. All of which are discussed in some detail thought the class. The problem that I have is for some businesses these mandates are the baseline for their security. Meaning that some business will only spend money on security to the point they are compliant and then stop. Now this could be for a number of reasons. Time restraints, costs, lack of resources to do anything more, etc. The point is that some believe that nothing bad can happen to them, until it does. I honestly don't know why. What I do know is that none of the security compliance mandates I listed is intended to be the "be-all end-all" for securing a business. Each one has a focus and that focus does not take into account any other aspect of the business or the technology involved.

So if you're in a position to drive change in your department, organization or the corporation. Please help to educate and communicate the real security requirements needed to protect the companies mission, its customers and its employees. I think one of the clearest and most concise statement about compliance recently made was by Michael Starks in his "An Open Letter to CEO's" post.

...we need to have a security program that is perpetually healthy–one that creates and builds a security culture. It needs to be healthy enough where passing audits is a natural consequence of how we handle information.

Meeting security compliance mandates should be a positive side effect of your security practices not the motivation for them.

I am always open to feedback so please feel free to post a comment.

Server migration almost complete.

noreply@blogger.com (Thomas Nicholson) — Sat, 21 Feb 2009 06:19:00 +0000

I wanted to let my readers know that I’m almost done migrating my blog to a new host. I still need to check to see that everything made it over but for the most part I think its done.

The Wiki is offline for now but I hope to get it back online tomorrow. I have added support for iPhone/Touch devices. I will be making some other enhancements to the site as I now have more resources to work with on my new server.

Sorry for anyone who has experienced trouble with the site the last 24 hours. My attempt to make the cut transparent was a failure. Once this is all done I hope to get back to blogging and produce more videos soon.

Thanks for visiting and come back to see whats new.

Getting Nessus running on your home network FREE

noreply@blogger.com (Thomas Nicholson) — Tue, 10 Feb 2009 10:43:00 +0000

Getting Nessus running on your home network FREE from Thomas Nicholson on Vimeo. See it in HD.

Nessus is one of the most commonly used network vulnerability scanners on the market. Anyone that does network assessments has used Nessus or one of the many other alternatives like Immunity, Core or even OpenVAS. I wanted to share with those that might be new to Nessus how you can get the "Home Feed" for FREE for personal use. Please be sure to read the ToS in its entirety before you download Nessus.

Nessus has two components a client interface and a server process/manager. Nessus supports Windows, Linux and Mac OSX. You can mix and match the client software and server software. For example I have the Nessus server software installed on one of my Linux servers and the Nessus client installed on my Windows netbook.

You can download Nessus from the Tenable website. If your just installing the client you don't need to enter a registration number. But you will need a registration key to install theNessus server. If you wanted you could install the Nessus clients on all the computers on your home network. When you install the Nessus server it will ask for a registration key. You can get the key for the Home Feed free on the Tenable website. Tenable will send you and email with the key. Once the enter the key and its validated it will ask you if you want to run the update. After that if you leave the server running it will update every 24 hours. Once the server is updated and the client software is installed your ready to go. (I'm working on a short video walk through but Tenable has a few video demos on their website.)

The the Home Feed has some major limitations with respect to functionality. The first being the updates you get with the Home Feed are not the current ones you would get with the paid Professional Feed. I'm not sure how "current" the home feed is but I would not expectNessus to find anything less than a month old. It could be longer or shorter I don't know for sure.

In addition to the delayed updates for the Home Feed doesn't have all the policies that come with the Professional Feed and your are limited to two a generic scan policy and a Windows Patches policy by default. You can create as many new custom policies as you would like but they won't come already built for you. You can also read more details on the difference between the Home and Professional feeds at the Tenablewebsite's comparison matrix.

Bottom line of you want to get a basic feel for Nessus and an idea of how it works the Home Feed is great. But I wouldn't make an assumption that you understand the "full capability" ofNessus without the Professional Feed.

I hope this information is useful and if you're using Nessus on your home network. Also check out my post about OpenVAS which is a fork of Nessus that is free and Open Source.

Where to learn more about Maltego and a big thanks...

noreply@blogger.com (Thomas Nicholson) — Tue, 13 Jan 2009 11:41:00 +0000

Last night in my Intermediate Network Security class we did a lab on information gathering as it pertains to Network Security Assessments. We had discussed in the previous week about Web and Newsgroup searches, WHOIS look-ups, BGP and DNS querying along with Web crawling. I usually reference websites like Google, Netcraft, Fixed Orbit and the like to get the students started. Last year I did a demo of Maltego after I had read about it being showcased at one of the cons. At the time the only real pitch I could make was that it did what a lot of separate web sites did all in one workspace. It was all new to me, but I really didn't learn the full power of Maltego until I started reading articles posts by people like Rob Fuller (Mubix) and Chris Gates (Carnal0wnage).

So I decided this time around I wanted to get the students using Maltego. In that effort I was successful even if it was only for one night. To prepare for the nights lab activity I asked the @SecurityTwits for some help on finding more information about Maltego. Both Mubix and Carnal0wnage stepped forward and shared all that they had. I want to say thanks to both of them and would also like to refer all my students, and anyone else looking for more information about using Maltego, to checkout the following two websites and related articles.

Carnal0wnage - http://carnal0wnage.blogspot.com
Maltego Part I - Intro and Personal Recon
Maltego Part II - Infrastructure Enumeration (links will be updated when posts are published)

Mubix - http://www.room362.com
Maltego 2 and beyond - Part 1
Maltego 2 and beyond - Part 2
Maltego 2 and beyond - Part 3
Maltego 2 and beyond - Part 4 (links will be updated when posts are published)
Maltego 2 and beyond - Part 5 (links will be updated when posts are published)

Twitter Accounts Hacked Yesterday

noreply@blogger.com (Thomas Nicholson) — Tue, 06 Jan 2009 15:24:00 +0000

Yesterday morning I had learned that some Twitter accounts had been hacked. People were getting DM's from people they followed with shrunk links, that sent them to malicious/phishing websites. Later that afternoon I checked the Twitter Status page and found this post.

A number of high-profile Twitter accounts were compromised this morning, and fake/spam updates were sent on their behalf.

We have identified the cause and blocked it. We are working to restore compromised accounts.

As a precaution, it would be prudent to reset your Twitter password and make sure email in your settings is your own.

More details to come.

By the end of the day over a dozen blogs had posted about who's accounts had been hacked and even some screen shots of the crazy Tweets and DM's. People smarter then me have written about all the Web 2.0 vulnerabilities that exist and speculation on how the accounts were hacked. All I want to share are the following points.

When you sign-in to Twitter make sure your on the right website. Twitter has an HTTPS login page so before you sign-in make sure your on the SSL page before submitting your user name and password. (I wonder if the SSL cert is MD5 signed?)

Remember your Twitter ID is the same as your user name. So if someone is trying to brute force your account they already have half the info they need.

Twitter requires a minimum password length of 6 characters. But I know from experience passwords over 24 characters work. So use a unique, long and strong password.

Remember you should never need to give your password to a 3rd Party Twitter service. Any service that requires a password is either a phishing attempt or developed by an idiot. Either way you don't want to use the service.

If you use a 3rd party client, rather then the Twitter website, your giving up some control. A rouge 3rd party client could be used as a client and also be phishing accounts.

Make sure you know who your following on Twitter. Only people your following can send you a DM. You don't need to follow everyone on Twitter or everyone that follows you.

Think twice before clicking on a link. This is especially true for those that access Twitter from work. Its one thing to be "social networking" its another to be landing on websites that violate Internet Use policies. UPDATE: TinyURL will let you "enable" the preview feature on all TinyURLs before visiting the linked to website. This only works for TinyURL, to enable it go to http://tinyurl.com/preview.php.

For those that want to read more check out the following links:
Following The Twitter Hack Trail To DigitalGangster
Twitter Gets Hacked, Badly
Celebrity Twitter Accounts Hacked (Bill O?Reilly, Britney Spears, Obama, More)

Remember the point of social networking sites like Twitter is to meet people and build networks. You can't do that in a locked box but remember to be responsible when you use any type of technology, Social Networking or otherwise.

If you have anything you would like to add, I would like to read about it in the comments.

Wifi Hacking with a Mobile Phone

noreply@blogger.com (Thomas Nicholson) — Tue, 23 Dec 2008 11:35:00 +0000

@hdmore posted a tweet to a video on YouTube of someone using a cell phone for wifi hacking on Twitter this morning. I recently got an iPhone and have read a few reports of people running Metasploit Lite on it. This is the first time I have seen it in action on any cell phone. I'm not ready to jailbreak my new iPhone yet but this would be fun to try.

Security related posts I wanted to share...

noreply@blogger.com (Thomas Nicholson) — Tue, 25 Nov 2008 23:25:00 +0000

Chris over at Carnal0wnage has a great post on "Metasploit at WMAP"

Larry over at Pauldotcom has a good post on "Creating Custom Wordlists For Password Brute Forcing"

Engadget has a post on "IEEE 1667 pledges secure portable storage for all"

DVLabs has a post on "MindshaRE: Utilizing PyDbg Within IDA"

Kees Leune on "Tips for getting started in information security"

Keeping 3rd party apps up-to-date on Windows.

noreply@blogger.com (Thomas Nicholson) — Tue, 25 Nov 2008 14:15:00 +0000

Today version 1.0 of Secunia Personal Software Inspector was released. You can download it free for personal use here. I have been using PSI since RC1 and I?ve blogged about it on my other website. If you are running Windows and have installed more applications then Microsoft Office you want PSI. PSI pickups up where Windows Update leaves off. Once you install PSI it will scan your system for applications including MS Office and Windows Patches. When it has a list of the applications installed it will tell you which, it any have updates are available. It even makes it easy to download and install them.

We all know that Windows has its security problems but the majority of Windows attacks are through 3^rd party software not typically the host OS. So you can have a secured Windows install but your system can still be exploited if you?re running a vulnerable version of Yahoo! Messenger or other 3^rd party application.

Now PSI doesn?t track every application but it covers most of them. Again with security it?s all about mitigating risk. If PSI helps you to update one application on your system, then you have just eliminated one more attack vector. PSI is free for personal use so please give it a shot I?m sure you will like it. I would suggest that you run it only when needed. The program can run as a services and monitor your applications real-time but that can be a waste of system resources. I usually run a scan of my system whenever I get a Windows Update alert or install new software which is about bi-weekly.

If you have a business and would like to install PSI on all your clients they have a solution called NSI 2.0 which is the same thing as PSI but in an agent form so that you can manage multiple machines from one host. This version does cost ?20.00 per computer.

If your using PSI or NSI I would like to get your feedback in the comments.

Off the AVG bandwagan.

noreply@blogger.com (Thomas Nicholson) — Mon, 24 Nov 2008 09:26:00 +0000

I was a fan of AVG for a few years. I'm not really into all the "signature" based security stuff but I don't want to be infected by some old virus and have it killed my box. My happy medium was that I would use the best "free" anti-virus I could and leave it at that. Well I decided to give an end-point security solution a try. More on that in another post but before I removed AVG I did an update and ran the full scan of my C: drive for grins. The next morning I checked the results and no problems found. So I uninstall AVG and installed one of the two end-point solutions I've wanted to trial. After installing the first, I downloaded all the updates and started a full scan of my C: drive again with the end-point solution. Later that day I came back to find over a 16 viruses, and 4 spyware programs on my system. Most were false positives, being that I installed them (security research) but a few were the real deal. After cleaning my system I tried to think about what this result could mean.

AVG isn't as good as I thought?

AVG "restores" some of the viruses it removes after you uninstall it? I doubt it but...

The new "Genetic Heuristic" technology works better then I thought?

My system is totally screw with or without Anti-Virus? Highly probable.

After the latest issues in the news with AVG removing "critical" files from Windows host forcing a recover/re-install. I was happy I jumped off that wagon when I did. I'm still trialing the first security suite for another 4 days. After the first trial is over I'll start the next trail before giving my review. So my question is do you really get what you pay for? If I pay for the full version of AVG would that have found all the viruses it missed in the free version? Also do you use any anti-virus or end-point security and if so how do you like it. Please post in the comments your feedback.

Thanks for your continued support!

noreply@blogger.com (Thomas Nicholson) — Fri, 21 Nov 2008 00:46:00 +0000

I wanted to take a moment to thank all of the supporters of Nicholson Security. All the revenue generated (Adsense & Amazon) by this site goes back into the site and pays for the hosting and bandwidth needed to make this site available. The site is still very young and very much a work in-progress. I have a lot of plans for the site in the future. More plans then it seems time but I do what I can. I do want to let you know your support is appreciated and it also helps to keep me motivated.

I have been contacted by some asking if they can make donations (both equipment and money). I am looking into what the legal ramifications are of that now. I am also looking into setting up a PayPal "donations" button. For those that are interested in me consulting, I am looking into that as well and will post the details when I have them worked out.

Thanks for your continued support!

ThreatExpert Blog has an excellent write up on the Gimmiv.A worm

noreply@blogger.com (Thomas Nicholson) — Fri, 24 Oct 2008 08:12:00 +0000

Yesterday Microsoft release a security patch for a critical vulnerability. It seems a worm has been found exploiting this vulnerability in the wild. If you head over to the ThreatExpert Blog you can find a full write-up on this worm and how it's using this critical vulnerability to exploit systems.

Critical vulnerability in Server Service has only been patched by Microsoft (MS08-067), as a new worm called Gimmiv.A has found to be exploiting it in-the-wild.

If you run Snort IDS here is a link to rules that block this vulnerability.

People will always be the weakest link in security.

noreply@blogger.com (Thomas Nicholson) — Wed, 22 Oct 2008 08:05:00 +0000

Yesterday morning I stopped in the local Starbucks to get some coffee. I noticed when I arrived a customer that was unpacking a laptop bag and getting situated. While I was waiting in line after ordering my drink, the same customer passed me heading into the restroom. After I got my coffee I started to head out the door. I noticed that the customer had booted their laptop and had a Citrix session running with Outlook open. I looked around and realized that the customer was still in the restroom. I decided to take a few minutes and sit down across the room and observe. I noticed that the laptop had a 3G data card plugged in, so I am guessing that was the data connection the customer was using, not the WiFi hotspot.

Lets evaluate the situation. We have a company that's IT people need to provide remote access to its users. They want to keep full control of their data, so they go the thin-client route and use Citrix. They also must provide the 3G card I am guessing as well. But after all that a user boots the laptop, I'm guessing VPNs into the company, authenticates through the thin-client, launches Outlook and then takes a health break without locking the system.

I won't even go into the part about the laptop just sitting untethered on the table. That is just a whole other issue. I am really hopeing that all the sensitive and private data in on the thin-client side and not on the local laptop. Sometimes I get tunnel vision on teaching best practices and awareness about security. All the different technology we can use and policies created to reduce risk, and then you through a user into the mix and its all for not.

I know that many of you will see the same thing sometime today but what is the fix? The customer I observed, after they did come back 15 minutes later, had a Realtor lapel pin. I don't think keeping that user nailed down to a workstation in a secure building is an option. I would like to hear your stories, in the comments, on how best efforts were made in the name of security and a user killed it all without any thought. I would also like to hear solutions to fix problems like this. I think setting the screen saver to turn on after 60 seconds with authentication enabled would be a good start but not sure how the user would feel about that. :P

P.S. This isn't just a user issue. I have seen an Administrator spend 30 minutes climbing through security and authentication, only to walk out of sight of their laptops to get a soda refill, without locking their laptop. This is truley a people problem not a non-technical user problem.

Review: SANS Pen Test Webcast Part 1

noreply@blogger.com (Thomas Nicholson) — Thu, 16 Oct 2008 12:51:00 +0000

Yesterday was the SANS Webcast on ?Combining Network, Web App and Wireless into the Ultimate Penetration Test,? I had registered to catch it live but my lunch break disappeared under a pile of deadlines. Today I was able to catch the archive of the presentation.

The focus of the webcast was as the title describes, using combined methods and attack vectors during a penetration test. Sometimes depending on the client requirements, a pen test will be requested but with a very limited scope. For example they might only want their wireless network tested or a public facing web application. Usually due to either lack of interest or cost some companies will not get the full Monte? I think this is bad because the results provided from the pen test are only part of the picture. I think that if a business is going to have a pen test conducted it should cover all the potential attack vectors. Otherwise a business might have a false sense of security.

The example used in the webcast was using an open wireless connection that a business might use for guest Internet access, to gain access to the businesses network. It starts with using various wireless attach methods to discover and attack clients on the network. By intercepting employee Internet traffic over the wireless network they inject an exploit and use BeEF to escalate access and bind a reverse shell to the client to gain access to the businesses internal network. Once they have access into the businesses network they start to scan the network, compromise services and exploit clients on the network.

This was only part 1 of a 3 part series. Part 2 is said to be release middle of next month. My first impression is that it?s a good series and I am looking forward to the others. We have so many specialist in security I see it all the time in my classes. I have students that just do ?Windows? or just do ?Linux? or just do ?Networking.? That is great and they discuss that in the webcast, we need people that know each of these technologies cold, but as they say in the webcast do you want to pigeon hole yourself?

I have always tried to keep a balance when it comes to my skills. Now due to my 13+ years of experience I am viewed mostly as a System and Network ?type? of IT Professional. But I have also over the years learned and worked with Programming from Assembly to JAVA and even done Web App development from Perl/CGI to PHP and even Wireless networking.

What it all comes down to is that nobody can know it all but personally I think we should all know what is possible and understand our skills and limits. Collaboration is another key component that is important. I think that is why there is such a huge network of Ethical Hackers and Penetration Testers out there all willing to share what the know and exchange knowledge so freely.

If you?re interested in Pen Testing and have the time, I would suggest checking Part 1 of the series. When your done please post a comment and let me know what you thought about it.