Share This [+]
January 13th, 2010 by Jeff P.
Here are some disturbing statistics:
- A recent Hotmail security breach revealed that an overwhelming number of users are using predictable, insecure passwords:
- 61% of passwords were either only lowercase letters or all digits (examples: iloveyou or 123456).
- 20% of passwords were six or fewer characters.
- An estimated 1 in 9 people use one of the Top 500 passwords posted on WhatsMyPass.com
- 1 in 50 people are estimated to use one of the Top 20 passwords, among which are password, 123456, and qwerty.
- Many of the Top 500 passwords are simple dictionary words, curse words, or common first names.
- 60% of web users only have one password that they use for all of their online accounts, including Facebook, PayPal, email, and banks, according to a recent study.
A typical strong password guide looks a little something like this:
- At least 8 characters long
- At least three of the following:
- lower case letter
- capital letter
- numeral
- special character
But this really seems to miss the point. For example, go to Microsoft’s password checker and type in this password: qwerty123456! The checker gives this password strength “Best.” But is it really?
Read the full post »
Tags: hacking, password policy, security
Share This [+]
December 30th, 2009 by Patrick M.
Any admin worth his/her salt has a common set of tools and applications they use on a regular basis for managing whatever environment for which they are responsible. Managing the security of the environment is no exception. While this meager blog post makes no claims to aid you in performing a full scale security analysis or penetration test, there are some basic tools you can use to ensure that the most glaring problems are found and mitigated.
- NMap - This is one of the most popular port scanners found on the Internet, and the reason for this is because it’s, well, a great tool. With configuration options a mile long and a great development community behind it, it really does exactly what it says it will and not much more.
- Nessus - Nessus is a network vulnerability scanner that constantly updates a list of plugins and “checks” which it uses to evaluate a server for given vulnerabilities. While they did recently change their licensing model, replaced their free registered plugin feed with a feature-sparse “home” feed, and also changed from open to closed source, Nessus is still one of the premier vulnerability scanning tools available.
Read the full post »
Tags: metaspolit, nessus, nmap, security
Share This [+]
December 16th, 2009 by Jason C.
What is URLScan? URLScan is a free tool provided by Microsoft that restricts certain kinds of HTTP requests that IIS will process. Though there are many different uses of URLScan, today I will only be covering SQL Injection blocking.
SQL Injections occur when attackers enter malformed SQL statements into data input fields. The attacker can modify or retrieve data from your database and, in some cases, they can even access data stored in your filesystem outside of SQL Server. If you find that you’re a victim of SQL Injection attacks and you’re not equipped to make all of the necessary changes to your application (or if the implementation of these changes could take a long time to implement) then URLScan may be a good fit for you until you can fix the root cause of the attack.
As of this writing, URLScan 3.1 is the latest edition and can be downloaded from Microsoft. A URLScan ISAPI filter is configured for all websites on your server after performing a default installation of URLScan. This ISAPI filter intercepts request for IIS and processes security rules defined in the URLScan.ini file against the requests.
The blocking of SQL injection attacks is handled by the DenyQueryStringSequences security rule. The rule matches IIS requests against a list of character sequences that you provide. If the request matches certain character sequences specified in the security rule, then the request is dropped, logged in the URLScan Logs, and a 404 status is returned. You can configure URLScan to only log requests that match your defined character sequences instead of blocking them. I would recommend starting off with the logging only mode so you can determine whether or not valid traffic may be blocked. If valid traffic is being blocked, you’ll need to modify the character sequences you are choosing to block.
Below is a configured DenyQueryStrinSequences security rule. I have added some of the most common SQL commands used in SQL Injection attacks:
Read the full post »
Tags: hacking, security, sql injection, urlscan, Windows
Share This [+]
November 18th, 2009 by Jason B.
The PCI Council introduced the PCI version 1.2.1 specification earlier this year, and there has been a lot of clarification done so the specification makes more sense; however,, there is still a lot of help needed in deciphering exact needs and next steps. Face it: it all comes down to what you have to do to be compliant. Well, a Managed Host can offload some of that confusion. At INetU, we can work with you and provide guidance to the 12 section PCI specification. Here is a nice little overview about how INetU can help you on your way to PCI compliance.
Requirement 1 – Requirement 1 deals with the network topology’s overall security, including items like Routers, switches, and firewalls. The overall security policy and implementation of those devices are key. INetU can work with you to build a strong rule set for your managed firewall, and we can secure network topology with segmentation to encompass your servers here. The rest of INetU’s network Infrastructure outside your environment is covered via INetU’s PCI Level 1 Service Provider compliance.
Requirement 2 – This requirement deals with securing the devices/systems. Items like removing default vendor supplied passwords, strong configuration standards, and encrypting administrative access are key here. INetU provides a strong configuration standard, based on NIST and SANS requirements, that includes changing default passwords. INetU can also provide VPN capable firewalls so that administrative access to your servers is encrypted.
Requirement 3 – PCI Requirement 3 deals with protection of the cardholder data that can be stored on your servers. INetU can help provides good guidelines on how to handle such information, as well as provide tools to check for this type of data on your servers, and whether it meets the correct requirements. A lot of these requirements are best practices in terms of secure data. INetU can not only work with you on best practices and options for key management, but help decipher some of the specifics in this requirement.
Read the full post »
Tags: managed hosting, pci, security
Share This [+]
September 30th, 2009 by Jason B.
Data today is more valuable than it has ever been. Mix that with the fact online date storage is growing exponentially and you have a potential nightmare. Security in today’s world is essential, but one doesn’t have to break the bank to get some basic protection and visibility. Here is a list of 5 easy steps to help you get some basic protection and visibility into your environment before it is too late:
- Use VPN for all non-public traffic – Today’s firewall almost always come with VPN capabilities. Take advantage of this technology. Your firewall should only be open up for services that are for public consumption. Utilizing the VPN for management traffic like FTP, SSH, RDP, etc., can be a huge jump in security hardening. Most people have dynamic IPs, so having to keep opening firewall ports for those IPs can lead to those old rules not being cleaned up or even opening those services up to everyone! Don’t take a chance and leave a hole open for potential hackers, use this method to help lock down the firewall.
- Limit external footprint of you servers – If you don’t need something, turn it off. If your servers are not running a service for public consumption, don’t allow it through the firewall. For example, Active Directory servers typically have IIS installed and working. But as there is no public need for that, don’t allow external connections. Default to deny, and only allow the essentials are good rules of thumb.
- Log….Log….Log… – Turn on firewall logging whenever possible. Logging is essential to helping detect any problems that are currently going on, or have been going on. Seeing a particular server getting strange requests, or a single IP address scanning your network could be an early indication of issues.
Read the full post »
Tags: firewall, security
![[]](/imagesb/reflection02.gif)