Recently in Security Category

pactester - a tool to test Proxy Auto Configuration (PAC) files

By Jeff on April 14, 2010 11:19 AM | No Comments
If you administer a proxy server and utilize a proxy.pac file for automatic client configuration, then you know how difficult it can be to test entries for proper operation. Really, short of loading it up in your browser and testing it, there wasn't much else you could do.

Enter pactester - on the google code page - to the rescue. This handy command line tool will parse your proxy.pac java code and return what each URL or domain will hit, either your proxy or a direct connection. I've used it extensively lately, and all I can say is bravo!

http://code.google.com/p/pactester/

Leeching Wifi - and why you shouldn't

By Jeff on April 12, 2010 12:30 PM | No Comments

Sure, you might think you're being clever, connecting to that unsecured wifi hotspot. Hey, just checking email, right? They should have secured their wifi if they didn't want me connecting, right?

Beware! The other end of that connection just might be a Karma hotspot, setup by a malcious person, to gather your data and your passwords. Maybe much, much more.

Karma is a wireless sniffer that looks for probe requests from wireless clients. Once it receives a request (which your wireless client sends out all the time), Karma pretends to be the access point that the client is seeking. Karma is fully configurable - it might be a coffee shop name like "Starbuck wireless" or "T-mobile". Looks fine, right? Think again.

Once you join this rogue hotspot, Karma provides all sorts of services. DHCP, DNS, POP3 (mail), HTTP, File sharing, etc. If your internet just broke, that would be good for us. We'd just disconnect, and Karma wouldn't get any of our info. But Karma HAS an active connection to the net, usually, so all your requests eventually make it to the net - after being proxied and collected by Karma, unfortunately.

Karma can even present an SSL certificate to you, masquerading as a secured site. But the certificate will break, and you'll receive an error about an invalid cert. But, studies show that 80% of users just hit OK through SSL certificate errors. Yikes!

(More info about certificate errors here: http://windows.microsoft.com/en-US/windows-vista/About-certificate-errors)

The moral? Ensure you're connecting to the hotspot you're expecting. Check with the barista at coffee shops for the actual SSID of the hotspot.

And never, ever, every click through an SSL certificate error unless you KNOW it's OK. Because it usually aint.

 

SQL Injection basics

By Jeff on April 11, 2010 5:33 PM | No Comments
Example of a relational database table that su...

Image via Wikipedia

SQL injection is a technique wherein an attacker tries to manipulate a back end database by loading the front end application - typically a web based application - with SQL statements. SQL is a tool used to access most modern relational databases. 

If successful, the attacker can retrieve information, change account info, upload data to tables, drop entire tables or databases. 

Attackers will look for a web form of some type, then inputs SQL into the fields until data is returned, or a helpful error message id displayed. Verbose error messages can be very helpful to troubleshoot applications, but they are absolute gold to an attacker.

Often, developers will use JavaScript on the browser (client side) to filter out different characters they don't want sent to the application - but it is all too easy for an attacker to get around this using custom browsers or proxies. 

Example attacker code:

select id from users where name = 'Bill'; drop table users;--';

The semicolon will terminate the SQL statement, however there is a second statement that tells the database to drop the table USERS. 

Some defense against this type of attack is to identify the user of special characters in logs (;, *), and to block malicious IP addresses from accessing the web application or form. 

As you can tell, this is a tough one to defend against - be ever vigilant with checking your logs!

Reset root password on FreeBSD 7.2

By Jeff on March 16, 2010 1:57 PM | No Comments

Caveat - you will need console access to the box. Not just remote shell, as you will be booting to single user mode.

1. Boot to single user mode

2. Issue the following at the #

   mount -u /
   mount -a

This will mount the root file system read / write. You may receive a warning that you must run FSCK first. If so, go ahead and do that - at the #, issue fsck. Fix all issues. Next, at the prompt, issue:

   passwd

From there you can reset the password.



Snort tip: Quick suppression technique

By Jeff on January 13, 2010 7:33 AM | No Comments

If you manage a snort box, you know how much time you spend tuning the thresholds and tweaking the rules. Here's a quick way to search your rules files for sid to suppress in your threshold.conf. This works on BSD, but Linux should be fairly close.

1. Search the all the rules files for a pattern:

for i in `ls /path/to/rules` ; do grep -i "Pattern to search" $i ; done

This should return the line in the rules file with the sid you need to suppress

 

2. Issue this command to add the suppression to your threshold.conf:

echo suppress gen_id 1, sid_id <SID> >> path/to/threshold.conf

 

Step 1 will grep through all the rules files in the folder for a match on the pattern. Step 2 will add the "suppress" line at the end of your threshold.conf.

Remember to cycle snort initialize the changes!

Main Index | Archives | Virtualization »

Search

About this Archive

This page is an archive of recent entries in the Security category.

Virtualization is the next category.

Find recent content on the main index or look in the archives to find all content.