security

CMU announces free Firefox add-on to increase browser security against DNS flaw and digital signature problems

by File in: browser add-ons, security

Carnegie-Mellon University is making available a free add-on for Firefox 3.0 that’s intended to increase browser security. The Firefox add-on was developed at the university’s School of Computer Science and College of Engineering and is available for free download. The Perspectives software not only protects Firefox users against attacks that might occur because of the recently disclosed […]

Basic Apache Hardening in SLES 10

by File in: security

I setup a SuSE Enterprise Linux (SLES) 10 SP2 web server last week, and wanted to do some basic hardening of the default Apache configuration.  Here’s what I did. edit /etc/apache2/httpd.conf Add RewriteEngine On Add RewriteLogLevel 2 Add RewriteLog /var/log/apache2/rewrite.log Add ServerSignature Off The ServerSignature directive allows the configuration of a trailing footer line under […]

Free ConfigCheck Utility for VMware ESX host security assesment

by File in: virtualization

Tripwire has a free, Windows based security assessment tool called ConfigCheck for VMware ESX hosts.  It rapidly assesses the security of VMware ESX hypervisor configurations compared to the VMware Infrastructure 3 Security Hardening guidelines. According to the VMware website: Tripwire ConfigCheckTMis a free utility you can use to rapidly assess the security of your VMware ESX host configurations, according […]

Multivendor DNS Flaw auditing tool

by File in: security

Earlier I discussed the multivendor DNS flaw and linked to Dan’s web page that contains a tool you can run to see if your DNS servers are vulnerable to cache poisioning. Jose has developed a basic open source tool called CacheAudit that can be used to determine if the cache on your DNS server has been poisoned.  He describes […]

Test for Multivendor DNS Flaw

by File in: security

By now, everyone on the Internet is aware of the fundamental flaw in DNS that all major vendors released security patches for this week.  Dan Kaminsky, the security researcher who discovered the cache poisoning bug, has developed a test for this flaw that you can find at his web site.  Many people have downplayed this […]

Sun Java Multiple Security Vulnerabilities Rated Highly Critical

by File in: security

Sun has disclosed multiple security vulnerabilities within their Java product, which are summarized here.  The categories of vulnerabilities include: 1) Security Bypass 2) Exposure of system information 3) Exposure of sensitive information 4) DoS 5) System access The following Sun products are affected: Java Web Start 1.x Java Web Start 5.x Java Web Start 6.x […]

Go read Microsoft Security Advisory 954462 now

by File in: security

If you are responsible for the web server or web application security, go read Microsoft Security Advisory 954462, Rise in SQL Injection Attacks Exploiting Unverified User Data Input immediately.  It contains important information on detecting and mitigating SQL injection vulnerabilities. This advisory is not specific to only Microsoft products like the IIS web server and […]

Recommendations for securing Internet Explorer, Firefox and Safari web browsers

by File in: security

Cert has a document that show some specific steps you can take to secure your Internet web browser.  Detailed instructions, including screen shots are provided, along with explanations of what you are configuring and what the potential ramifications are. The document focuses on IE, Firefox, and Safari and includes supplemental reference links to additional content.  They […]

Resources for Securing Mac OS X Panther, Tiger and Leopard

by File in: security

I will  be the first to admit that I am primarily a Windows and Linux user.  Not that I don’t like Macs, but the majority of my client base is single platform on the desktop (Windows) and either Windows or Linux servers.  My lack of exposure to Macs, and subsequent lack of OS X-specific security […]

Gone in 47.11 Seconds

by File in: security

I was performing a little security audit today, and used PWdump to dump the contents of the SAM file from a Windows 2000 Domain Controller. I took the results from PWdump and imported them into LMcrack.  It took 47.11 seconds to enumerate 617 of the 2272 account passwords. Next I ran Richard Mueller’s DocumentGroups.vbs script which dumped the group […]