InfoSecPodcast.com » Security How To’s

NSA’s guide to securing routers

Chris Harrington — Sat, 17 Feb 2007 02:50:21 +0000

My old pal’s from the System Network and Attack Center at the NSA have a great guide on securing routers. The Router Security Configuration Guide has a good amount of the networking basics and then goes into a lot of hands on configurations and best practices. Cisco routers are covered specifically but I would imagine that a lot of the commands would be the same for other routers that support CLI. Combining information from this guide along with using the Router Audit Tool (RAT) from the Center for Internet Security will get you going in the right direction.

I think that routers are one of the most overlooked pieces of perimeter security. A finely tuned border router can do a lot for you and your security posture.

Technorati Tags: NSA, SNAC, router, information security

URL Obfuscation Examples

Chris Harrington — Thu, 02 Nov 2006 01:23:27 +0000

Web browsers understand all sorts of URL formats. If you want to go to Google you put www.google.com in your browser. These URL’s are also valid for Google as well:

http://1208930147

and

http://%67%6f%6f%67%6c%65%2e%63%6f%6d

For a good explanation as to why this is and what URL obfuscation is used for, check out this post.

–Chris

Technorati Tags: URL, obfuscation, Browser, Google

Skype Security

Chris Harrington — Mon, 16 Oct 2006 15:50:31 +0000

I use Skype fairly regularly as do many people I know. In fact, you can Skype me at chrisharringtonor leave me voicemail at 603-397-3392 (also Skype). Over the past couple months I have seen some interesting information and links on Skype and it’s security and anonymity. I thought I would share some of these.

Anonymity
Skype is basically Voice over IP (VoIP) using some peer to peer (P2P) technologies. I am not going to go into the details here. If you want to learn more about how Skype works check out this link. Since Skype is P2P based many people believe that there is an inherent security, due to the multiple peers involved with the call. This is simply not true . If it has an IP address it is traceable to some extent. Kobi Alexander (former CEO of Comverse and Federal Fugitive) found this one out the hard way. He placed a one minute Skype call which investigators traced to Sri Lanka. He was arrested in Namibia shortly after. George Mason University has published a paper on Tracking Anonymous PeertoPeer VoIP Calls on the Internet. It’s an interesting read.

Disabling Super Node
Skype has the ability (and authority under the EULA you didn’t read) to use your PC as a Super Node. Skype uses Super Nodes to route Skype phone calls. If you have a reasonable fast processor and fast Internet connection your PC may be tasked with being a Super Node. The concern here is that Skype could plug up your network with calls being routed to other Skype users. This was enough of a concern to the folks at Fermi National Accelerator Laboratory that they wrote a how-to on disabling super node / relaying in Skype.

**DISCLAIMER:** Disabling Super Node is Skype *may* be in violation of their Terms of Service. I have not read closely it so I do not know for sure. Proceed at your own risk and I take no responsibility.

Disable File Transfer & API access
Transferring files using IM / Chat / VOIP clients has been problematic at best because of the risk of passing malicious files. Most commercial AntiVirus vendors don’t have tight integration with these types of products. There are AV plugins for Outlook and IE but not may for Trillian or mirc. The Skype Security Blog has a post on Disabling File Transfers.

On that same blog post is a procedure for disabling access to the Skype API. As the saying goes, if you don’t need it…don’t turn it on.

There is also a good whitepaper on Skype security by Simson Garfinkel here.

–Chris

Technorati tags: Skype, security, P2P, Kobi Alexander, Super Node

Securing Microsoft Office

Chris Harrington — Thu, 12 Oct 2006 15:07:01 +0000

SecurityFocus has posted a two part article on securing Microsoft Office, written by Khushbu Jithra. It’s a pretty good article combo with the first article talking about Office’s security issues and the second article covering the forensics involved.

–Chris

Technorati tags: Microsoft Office, Security, vulnerability, security focus

Demystifying 802.1x

Chris Harrington — Tue, 19 Sep 2006 02:58:25 +0000

I came across this white paper by Fluke Networks. It does a great job of visually representing the components in 802.1x, how the various handshake’s work and different protocols involved.

Definitely worth a read if you want a cheat sheet on 802.1x. It’s through Bitpipe so you will have to register to download it.

–Chris

Technorati Tags: 802.1x, Fluke, Bitpipe

MS Exchange build numbers for pentesting

Chris Harrington — Thu, 31 Aug 2006 18:45:53 +0000

Have you ever telnet’d to an MS Exchange server and wondered what Service Pack or Release version it was? I know I have. It can be a good way to double check what Nessus or another VA tool told you was a vulnerable version. CDOLive has a nice table that matches Version, Service Pack and release date for Exchange versions since 4.0. So the next time you see thison port 25:

220 mydomain.com Microsoft ESMTP MAIL Service, Version: 6.5.7226.6 ready at
Wed, 30 Aug 2006 16:11:32 -0400

you can tell that it is at least MS Exchange 2003 with Service Pack 1 installed. They don’t seem to cover the Small Business Server versions of Exchange. My SBS 2003 returns a version string of 6.0.3790.1830, which is not listed. They also don’t cover the myriad of hotfixes / updates that change a build number. Still a good reference though as a place to start.

Outlook build numbers are listed there as well.

–Chris

Technorati Tags: Exchange, Pentest, Outlook, Microsoft

Everything you wanted to know about SQL injection

Chris Harrington — Fri, 04 Aug 2006 02:50:30 +0000

Ok…it’s probably not EVERYTHING but I thought it was a pretty good article. Besides, that is their title to the article, not mine. I like that it covered not only execution of a SQL injection attack but also how to detect it and tips to prevent such an attack. Application security is not my strongest skill so there is a chance that the article will not interest real app-sec pro.

If you are looking to learn more about application security (web application security specifically), check out OWASP. It’s the Open Web Application Security Project. There are local chapters all over the world.

–Chris

Technorati Tags: SQL injection, application security