November 14, 2006

How to buy a 65” Plasma for $.99

Panasonic PlasmaHow secure is your web application? Are you sure? We are constantly amazed at the lack of basic security many companies employ online. For instance, it has been known for years that e-commerce sites utilizing hidden fields are susceptible to manipulation. The problem doesn’t seem to be getting any better, and is actually being made worse by some service providers. Many smaller hosting companies offer software solutions to help small businesses get online “faster” and “easier.” This almost never translates to more secure.

Which brings me to the title of this article. During my studies for the CEH exam, I was exposed to the seriously flawed CartIt.cgi shopping cart application. CartIt.cgi is a widely used shopping cart that stopped being developed last year. The reason this application is flawed is that it uses hidden fields within the HTML POST to submit the price and quantity when the user clicks on the add-to-cart button. Hidden fields are easy to manipulate. One of the easiest is to use a local proxy, such as Paros, to intercept the POST, effectively launching a man-in-the-middle attack. This allows you to change the price before it is submitted to the server. (read more…)

          Comments (40)

November 13, 2006

New Cingular G3 Phones Leapfrog the Competition

Samsung BlackjackWe do a lot of work with Microsoft Windows Smartphones, so we have anxiously been awaiting the next generation of phones. Verizon has been the clear leader in the US, offering the Palm 700W, the Motorola Q, & the HTC XV6700. Those of us with Cingular contracts have suffered from phone envy for a long time.

According to our friends over at MS Mobiles, the situation changes Thursday, the 16th of November. Cingular is set to ship 2 new smartphones:

  • The Samsung Blackjack is a Q killer. It offers G3 HSDPA broadband speeds, which are more than double the speeds of Verizon’s “high-speed” broadband. It is also a quad-band phone, making it well suited for world travelers.
  • The HTC Hermes, aka Cingular 8525 is the latest version of its popular pocket PC phone, which offers full touch screen PDA functionality. It is similar to the Verizon XV6700, but like the Blackjack, the 8525 offers HSDPA broadband. The 8525 also has a 2 megapixel camera and 802.11 support.

Both of these have great multimedia capabilities, such as streaming audio and video, but they really shine as business tools. If you have Microsoft Exchange 2003, these phones are a must-have. In Exchange 2003, Microsoft beefed up its wireless activesync. With a Windows-based phone and an accessible Exchange 2003 web access server, you can synchronize e-mail, contacts and calendars over the cellular network. With Exchange SP2, Exchange can push data to your phone, but this is a huge battery drain. The better option is to set your phone to synchronize every 5-15 minutes. Exchange combines with a Windows Smartphone blows away the capabilities of blackberrys and you don’t need any extra software to roll this out to your entire company.

I’m going to order the Blackjack as soon as it is released on Thursday, and hope to have a real-world review up soon.

          Comments (0)

October 22, 2006

10 New Immutable Laws of IT Security

Protect Your Windows NetworkBack in 2000, Microsoft released its 10 Immutable Laws of Security & 10 Immutable Laws of Security Administration. 6 Years later, these laws are still true. I recently started reading the excellent book Protect Your Windows Network: From Perimeter to Data by Jesper Johansson & Steve Riley, and they include these laws in their appendix. If you have not read this book, buy it immediately! It is a well written introduction to the theory of network security, and is probably the best guide I’ve seen for those who are new to infosec. Although the book comes from Microsoft, and the title includes Windows, the book covers a wide range of topics including social engineering, patch management, and security policy management that can be applied to any environment.

After reading this book, I decided to write my own updated list of 10 Immutable Laws of Information Security. These 10 rules represent years of experience, hundreds of projects, and countless mistakes:

(read more…)

          Comments (7)

October 3, 2006

Discover Rogue Access Points with DHCP

Linksys API recently was challenged with the task of determining if any rogue access points existed on a large network, spanning multiple locations. The concern was that local staff would go down to CompUSA or Office Depot and buy APs to provide “convenience,” and IT would have no way of knowing. It was not practical to go visit each site, and we could not rely upon local staff, because they were the very people we were worried about.

We determined that the likely scenario would be that the staff plugged it in to the network and obtained an “external” IP address from our DHCP servers. The likelihood that they would have statically assigned an IP seemed slim since they would have no way to determine which IPs would fall outside the DHCP range. Also, we counted on laziness to rule the day, since it would work fine with DHCP.

I came up with the following batch script to run against our DHCP servers. It dumps all current DHCP lease holders, and then checks them for known AP MAC address prefixes.

(read more…)

          Comments (22)

September 29, 2006

E-Mail Retention & Sarbanes-Oxley White Paper

blog.jpgI wrote this paper last year on document retention & compliance with regard to e-mail systems. Sarbanes-Oxley section 802 has created a small nightmare for IT managers, and there is precious little information for what 802 really means. I wrote this paper as a guide for designing a system that would satisfy the worst case scenario. SOX 802 carries big financial penalties as well as jail time for company officers. If you are an IT manager of a public company, this paper will serve as a good starting point. It is written with a vendor neutral approach.

If you are looking for a compliance solution for e-mail, I highly recommend Hewlett-Packard’s RISS/RIM product suite. Symantec’s Enterprise Vault is also a good product, although in my experience it does not scale well beyond 1 data center. If you find this paper useful, drop me a comment and let me know how you are dealing with e-mail & SOX.

«download here»

          Comments (6)
« Previous Page « Previous Page Next entries »