I have always agreed with Linus Torvalds on a few statements,one of them is: "The best way to do software is open source". Over the years my experience in the telecommunications industry has helped me understand that there are a few needs that still have to be satisfied.
Some technologies have come of age and are used heavily, however businesses continue to operate at high cost due to the use of proprietary software and they end up suffering limitations bound by the purchasing of such software. My motivation is simple: Provide high end technology,done correctly and free of restrictions.
I chose 3 main projects to initiate and it has attracted the attention of very experienced programmers across Africa like Kennedy Kasina of the Fedora Project and Bernard Owuor who recently won an award at the Samsung Apps Contest all from Kenya.
We believe this is our way to give back to the community and we believe this will go a long way to put Africa on the technology front and to make software more Open.
The 3 projects are:
OpenUssd: USSD Technology is been used for services such as media download and mobile commerce. Our objective is to provide an interface that allows businesses to connect into operators who provide standard integration interfaces. OpenUSSD addresses a simple objective of giving companies an all-in-one Enterprise USSD Client platform for integration into almost any USSD Gateway with support for SOAP,RAW-XML,XML-RPC,SMPP and HTTP POST.
OpenSMS: One may argue that there are so many sms clients available for download. Our goal behind opensms is to provide a very light weight yet Enterprise Level SMSC Server and Client based on SMPP 3.4 and HTTP interfaces that allow for integration into almost any type of Network Operator's SMS Gatway.
OpenCafe: Internet Cafe's across Africa mostly use pirated copies of proprietary internet cafe management software. We want to be a part of a generation that cuts down the use of stolen software. The alternative is to provide a better solution free of charge. OpenCafe follows a server/client model for operation with features such as remote control of client machines,ticketing,accounting,activity monitoring and the like.
We will announce commencement of project activities soon. Keep watching this space or follow me on twitter for updates.
So get your python hats ready and lets do some real coding..
Till then,
Freedom Regards,
(d3vnull)
Thursday, December 23, 2010
FAD 2011 in Ghana
I get excited any time I have to share something about Fedora with the community. Fedora made a massive presence in Ghana during IDLELO 2010 held at AITI where Pierros(.fas:ppapadeas) and myself(.fas:linuxthomass) represented the Fedora Community.
Next year, we make our presence felt again with the Fedora Activity Day(FAD) 2011.
Fedora has a dedication to spreading the word about Freedom in software development and by living a true FOSS life. This is manifested in what is contained in Fedora.
In 2011 we hope to extend the fever of freedom to Ghana once more. So come get some swag(stickers,t-shirts,badges,laptop stickers and many more..)
Activities to be held are as follows and not necessarily in the order below:
1. Installfest. Liberating imprisoned computer application developers and users users into freedom. From other OS's to Fedora Linux. 100% Software Freedom.
2. How to join fedora and contributing to subprojects.
a) Getting a mentor when you join the Fedora ambassadors.
b) Packaging applications from sources into RPM.
3. Getting personal on Fedora:
a) Tweaking your Fedora to speak Ghanaian languages.
b) Tweaking configurations for increased performance
b) Basic ways to hack and secure your personal computer or enterprise servers.
4. Systems administration of up to 8 servers(Clustering,Monitoring,Security) using tools on Fedora/RedHat/Centos.
5. Virtualization using KVM from GUI to terminal .
6. Understanding and Applying Software Engineering principles in Fedora.
Case Study: Coding away with Python for (systems administration and general application development-GUI with PyGTK2.0)
7. Creating your own spin(version) of Fedora.
8. Hacking competition(Phase 1- Code hacking and packaging applications into Git. Phase 2- Hacking the network-Setting up services and the network,Phase-3 Setting up a Fedora mirror for LAN based updates)
NB://The items on this list are subject to change as its still under review at the moment. But this is a tentative activity list.
The 2 major questions I have received before this blog post are:
1. Where and when will it be held?
2. How much will it cost to signup for FAD?
Well..guess what...we at Fedora believe in freedom and giving to the community so we say
1. It will be held at either Ashesi University Campus in Labone or at AITI-KACE. Date to be announced soon.
2. And guess what...its free. Redhat has decided to bare the cost for all who visit this massive 3 days event.
So get your laptops ready for some real geeking and freedom the Fedora way...
Drop a question or comment and I will be glad to respond.
Freedom,Friends,Features,First
Till we meet...its
Freedom Regards,
(d3vnull)
Next year, we make our presence felt again with the Fedora Activity Day(FAD) 2011.
Fedora has a dedication to spreading the word about Freedom in software development and by living a true FOSS life. This is manifested in what is contained in Fedora.
In 2011 we hope to extend the fever of freedom to Ghana once more. So come get some swag(stickers,t-shirts,badges,laptop stickers and many more..)
Activities to be held are as follows and not necessarily in the order below:
1. Installfest. Liberating imprisoned computer application developers and users users into freedom. From other OS's to Fedora Linux. 100% Software Freedom.
2. How to join fedora and contributing to subprojects.
a) Getting a mentor when you join the Fedora ambassadors.
b) Packaging applications from sources into RPM.
3. Getting personal on Fedora:
a) Tweaking your Fedora to speak Ghanaian languages.
b) Tweaking configurations for increased performance
b) Basic ways to hack and secure your personal computer or enterprise servers.
4. Systems administration of up to 8 servers(Clustering,Monitoring,Security) using tools on Fedora/RedHat/Centos.
5. Virtualization using KVM from GUI to terminal .
6. Understanding and Applying Software Engineering principles in Fedora.
Case Study: Coding away with Python for (systems administration and general application development-GUI with PyGTK2.0)
7. Creating your own spin(version) of Fedora.
8. Hacking competition(Phase 1- Code hacking and packaging applications into Git. Phase 2- Hacking the network-Setting up services and the network,Phase-3 Setting up a Fedora mirror for LAN based updates)
NB://The items on this list are subject to change as its still under review at the moment. But this is a tentative activity list.
The 2 major questions I have received before this blog post are:
1. Where and when will it be held?
2. How much will it cost to signup for FAD?
Well..guess what...we at Fedora believe in freedom and giving to the community so we say
1. It will be held at either Ashesi University Campus in Labone or at AITI-KACE. Date to be announced soon.
2. And guess what...its free. Redhat has decided to bare the cost for all who visit this massive 3 days event.
So get your laptops ready for some real geeking and freedom the Fedora way...
Drop a question or comment and I will be glad to respond.
Freedom,Friends,Features,First
Till we meet...its
Freedom Regards,
(d3vnull)
Sunday, August 15, 2010
New Infrastructure Design
This week has been quite hectic. From working on implementation stuff in the office, I had now taken on my new role of redesigning infrastructure for the company I work for.
We currently have a single point of failure for our services which is causing heavy down time and loss of revenue to the company.
The new design I came up with has the following objectives:
1. Provision of Highly Available Service including transparent Failover across over 20 servers. '
2. Provide a Highly Available scaled backend system that holds core data at high levels of read and write.
3. Enhance System and Service Monitoring
4. Enhance User Management and promote ease of work.
Tools to be harnessed in this new infrastructure design include:
Heartbeat
HA Proxy
LDAP
RoundRobin DNS
Naigos
Puppet
Supybot
Radius
Fedora mirror manager
GlusterFS
This setup has attracted the interest of Infrastructure experts of Fedora such as Mike Mcgrath and Sascha Spreitzer.
The results from the Model Lab will be shared with the infrastructure team members of Fedora. I will also share it on my blog so I will keep you updated on the proceedings.
Till then stay tuned and lets get ready next week as we setup the model lab.
I'll take you through each day and what the results of each test are.
BR(d3vnull);javascript:void(0)
FAS(linuxthomass)
We currently have a single point of failure for our services which is causing heavy down time and loss of revenue to the company.
The new design I came up with has the following objectives:
1. Provision of Highly Available Service including transparent Failover across over 20 servers. '
2. Provide a Highly Available scaled backend system that holds core data at high levels of read and write.
3. Enhance System and Service Monitoring
4. Enhance User Management and promote ease of work.
Tools to be harnessed in this new infrastructure design include:
Heartbeat
HA Proxy
LDAP
RoundRobin DNS
Naigos
Puppet
Supybot
Radius
Fedora mirror manager
GlusterFS
This setup has attracted the interest of Infrastructure experts of Fedora such as Mike Mcgrath and Sascha Spreitzer.
The results from the Model Lab will be shared with the infrastructure team members of Fedora. I will also share it on my blog so I will keep you updated on the proceedings.
Till then stay tuned and lets get ready next week as we setup the model lab.
I'll take you through each day and what the results of each test are.
BR(d3vnull);javascript:void(0)
FAS(linuxthomass)
Monday, June 14, 2010
Ghana Websites under attack
Sad as it may seem, Ghanaian website have seem to draw the undue attention of crackers in recent time.
Cyber crime seems to be the new style to attack an enemy in any event.
After last night's rumours about the Serbian coach's house been vandalized, it now happens to be that banking websites like the one here have been the best way to express forms of anger.
This is the time where the Ghanaian government including ISP's and companies need to pay more detailed attention to their Information Security.
I hope they listen to us this time around.
Friday, May 28, 2010
Getting MP3 to work in Fedora 12
The question I am asked about Fedora most of the time is on how to get MP3,avi and the like to work.
First of all I want to explain that Fedora does not package any proprietary software with it. As part of our 4 foundations, we believe in Freedom hence our 100% commitment to the Open Source Community.
However there are other developers who have made open tools available to play media such as MP3.
So here are very quick steps to get mp3 working on your Fedora 12 and 13.
1. Start your terminal
Applications->System Tools->Terminal
2. Step in as root by entering the command
#su -
Enter your root password to get root access.
NB://the # sign should not be included in the command. It represent a bash environment.
3.#'rpm -Uvh http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-stable.noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm'
4.#yum install gstreamer-plugins-bad gstreamer-plugins-ugly gstreamer-plugins-good gstreamer-plugins-bad-free gstreamer-plugins-bad-free-extras gstreamer-ffmpeg
5.#init 6
6. When your box restarts test all your MP3 files to be sure you can play them.
That's it folks. If you have any question, just drop a comment and I will get back to you.
BR(d3vnull);
First of all I want to explain that Fedora does not package any proprietary software with it. As part of our 4 foundations, we believe in Freedom hence our 100% commitment to the Open Source Community.
However there are other developers who have made open tools available to play media such as MP3.
So here are very quick steps to get mp3 working on your Fedora 12 and 13.
1. Start your terminal
Applications->System Tools->Terminal
2. Step in as root by entering the command
#su -
Enter your root password to get root access.
NB://the # sign should not be included in the command. It represent a bash environment.
3.#'rpm -Uvh http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-stable.noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm'
4.#yum install gstreamer-plugins-bad gstreamer-plugins-ugly gstreamer-plugins-good gstreamer-plugins-bad-free gstreamer-plugins-bad-free-extras gstreamer-ffmpeg
5.#init 6
6. When your box restarts test all your MP3 files to be sure you can play them.
That's it folks. If you have any question, just drop a comment and I will get back to you.
BR(d3vnull);
Wednesday, May 19, 2010
4 reasons to write your own security tools
So I was on a client's site few days ago before the beginning of the IDLELO conference. As the IT Manager watched me launch a few routine attacks from what looked like a rather strange application developed by d3vnull, he asked, "I have never seen this application called tuxbeast where can I download it from?". I smiled and said,"the sources are not available yet because I'm still working on perfecting some functions and making them more easy to use".
As a Security Analyst, I find some initial task as routine depending on the environment. I will list about 4 reasons why its essential that Security Analyst, Pentesters and Experts write their own tools at some point or modify existing ones if they have the time.
1. It shows you understand what you are doing: To construct a local attack, you need to understand what you are doing and what you are attacking. The motivation behind writing your own tools lies in the fact that, your tool can only work as expected if understand the mechanics and tiny details needed in an attack. If your tool is successful at an attack which has a known vulnerability, then you can be assured you are on the right path as a Security Personnel.
2. It simplifies your assessment task: When you write tools on your own, its very easy to automate them in loops or any other mechanism you put in place. Generating reports is even more easier to do as your tool produces reports to either stdout or file.
3. You improve your skills: Over time your understanding of various attack vectors in various environments under time makes you very proficient in the security field and enhances your knowledge on a broader scope.
4. Proficiency in programming steps to advance: Writing tools can be a very complex and challenging task especially when the attack is a complex one. This usually requires the learning of new programming constructs or embedding of other constructs in your code base.
For example, being more proficient with C, there are lots of shell codes that you can inject into some exploit code before launching them at a client's node. Over the years, your understanding of creating various shell codes will have improved to an advanced level.
So go ahead, start learning how to write your own tools.. it doesn't always matter the language, so long as its Open Source.
BR(d3vnull);
As a Security Analyst, I find some initial task as routine depending on the environment. I will list about 4 reasons why its essential that Security Analyst, Pentesters and Experts write their own tools at some point or modify existing ones if they have the time.
1. It shows you understand what you are doing: To construct a local attack, you need to understand what you are doing and what you are attacking. The motivation behind writing your own tools lies in the fact that, your tool can only work as expected if understand the mechanics and tiny details needed in an attack. If your tool is successful at an attack which has a known vulnerability, then you can be assured you are on the right path as a Security Personnel.
2. It simplifies your assessment task: When you write tools on your own, its very easy to automate them in loops or any other mechanism you put in place. Generating reports is even more easier to do as your tool produces reports to either stdout or file.
3. You improve your skills: Over time your understanding of various attack vectors in various environments under time makes you very proficient in the security field and enhances your knowledge on a broader scope.
4. Proficiency in programming steps to advance: Writing tools can be a very complex and challenging task especially when the attack is a complex one. This usually requires the learning of new programming constructs or embedding of other constructs in your code base.
For example, being more proficient with C, there are lots of shell codes that you can inject into some exploit code before launching them at a client's node. Over the years, your understanding of creating various shell codes will have improved to an advanced level.
So go ahead, start learning how to write your own tools.. it doesn't always matter the language, so long as its Open Source.
BR(d3vnull);
Thursday, April 8, 2010
Facebook Privacy Issues and Your Security
We usually do not spend time reading User Policy and Agreement or Privacy Policy, but trust me, its worth it if you spend some 20 minutes of your time understanding these agreements before you accept them. Some are harmless, some are clearly harmful,taking part or all of your freedom away.
So I took time to read the Facebook Privacy Policy and terms and agreements and here are a few points I noted down that in my opinion tramples on the privacy of Facebook users.
1. Privacy Policy:"When your friends use Platform. If your friend connects with an application or website, it will be able to access your name, profile picture, gender, user ID, and information you have shared with 'everyone.' "
My Opinion: When my friends chooses to use platform, data they give out should be limited to just them and not others who are not interested in these applications getting their data. In security terms, if there is a vulnerability in the application used by my friend,though I have not subscribed to it, I automatically become a target for any exploit or attack including my friends who also have not connected to the application.
Facebook must change this because I see a huge privacy infringement. Access to user data by applications used by other friends must be strictly by permission of the user and not a default acceptance. This way we do not become vulnerable to coordinated attacks carried out on one user.
2. Section 4- "Information You Share With Third Parties.Facebook Platform. As mentioned above, we do not own or operate the applications or websites that use Facebook Platform. That means that when you use those applications and websites you are making your Facebook information available to someone other than Facebook."
My Opinion: Now here comes the big shot that I find in this statement and the one above.The implication of the 2 statements above is that, for any application your friends use, you are by default a target of vulnerabilities and exploit and since Facebook is not responsible for developing those applications they do not 'care' about the effect the application has on your personal data. Granted, if I choose to use an application, then I am solely responsible for whatever information the application grabs from my profile. My advice to my friends has always been that they should refrain from using multiple applications and joining several groups unless they do not mind their information ending up on a spam zombie in an unknown village. The security implications and vulnerabilities of using such applications on Facebook ranges from medium to high.
If I have not allowed any application to access my data, and my friend chooses to use one, why should I be affected by his or her choices?This is a question Facebook must answer.
My Final thoughts: Whiles Facebook might choose to ignore user privacy concerns, you need to act responsibly by using few or none of these applications. Protect yourself and your friends from possible data theft and privacy infrigments without your notice. Inform your friends to refrain from using applications since they put your information at risk.
If anything should happen with your data, Facebook will simply refer you to the section of their privcay policy which says "When your friends use Platform. If your friend connects with an application or website, it will be able to access your name, profile picture, gender, user ID, and information you have shared with 'everyone."
Stay safe folks, use less or no application at all
You can read this article during another free time from another concerned Facebook user:
http://www.sophos.com/blogs/chetw/g/2010/04/07/facebook-privacy-standup-rivals/
exit(d3vnull);
So I took time to read the Facebook Privacy Policy and terms and agreements and here are a few points I noted down that in my opinion tramples on the privacy of Facebook users.
1. Privacy Policy:"When your friends use Platform. If your friend connects with an application or website, it will be able to access your name, profile picture, gender, user ID, and information you have shared with 'everyone.' "
My Opinion: When my friends chooses to use platform, data they give out should be limited to just them and not others who are not interested in these applications getting their data. In security terms, if there is a vulnerability in the application used by my friend,though I have not subscribed to it, I automatically become a target for any exploit or attack including my friends who also have not connected to the application.
Facebook must change this because I see a huge privacy infringement. Access to user data by applications used by other friends must be strictly by permission of the user and not a default acceptance. This way we do not become vulnerable to coordinated attacks carried out on one user.
2. Section 4- "Information You Share With Third Parties.Facebook Platform. As mentioned above, we do not own or operate the applications or websites that use Facebook Platform. That means that when you use those applications and websites you are making your Facebook information available to someone other than Facebook."
My Opinion: Now here comes the big shot that I find in this statement and the one above.The implication of the 2 statements above is that, for any application your friends use, you are by default a target of vulnerabilities and exploit and since Facebook is not responsible for developing those applications they do not 'care' about the effect the application has on your personal data. Granted, if I choose to use an application, then I am solely responsible for whatever information the application grabs from my profile. My advice to my friends has always been that they should refrain from using multiple applications and joining several groups unless they do not mind their information ending up on a spam zombie in an unknown village. The security implications and vulnerabilities of using such applications on Facebook ranges from medium to high.
If I have not allowed any application to access my data, and my friend chooses to use one, why should I be affected by his or her choices?This is a question Facebook must answer.
My Final thoughts: Whiles Facebook might choose to ignore user privacy concerns, you need to act responsibly by using few or none of these applications. Protect yourself and your friends from possible data theft and privacy infrigments without your notice. Inform your friends to refrain from using applications since they put your information at risk.
If anything should happen with your data, Facebook will simply refer you to the section of their privcay policy which says "When your friends use Platform. If your friend connects with an application or website, it will be able to access your name, profile picture, gender, user ID, and information you have shared with 'everyone."
Stay safe folks, use less or no application at all
You can read this article during another free time from another concerned Facebook user:
http://www.sophos.com/blogs/chetw/g/2010/04/07/facebook-privacy-standup-rivals/
exit(d3vnull);
Sunday, March 28, 2010
Maintaining Cyber Anonymity with Fedora Linux
I'll show you how to remain anonymous with your activities on the internet and browse securely.
This helps you keep your identity hidden.
Requirements:
Fedora Linux(Fedora 12 preferable)
Tor
Privoxy
Mozilla Firefox browser
1. Install Tor and Privoxy on your Fedora box
#yum install privoxy tor
2. Using the vi editor,as root, edit the privoxy config file to include this line
forward-socks4a / 127.0.0.1:9050 .
This can be found few lines after the line which reads
# 5.2. forward-socks4, forward-socks4a and forward-socks5
comment out the line:
jarfile jarfile
#vi /etc/privoxy/conf
3. Start the privoxy and tor services
#service privoxy start
#service tor start
Start up your Mozilla Firefox. Edit your network settings to include privoxy as your proxy server and tor as your socks server.
We are done. 3 simple steps.
Watch out for my next article when I put up a code for monitoring bot activity on your ssh server running off CentOS,Fedora or RedHat.
:)
This helps you keep your identity hidden.
Requirements:
Fedora Linux(Fedora 12 preferable)
Tor
Privoxy
Mozilla Firefox browser
1. Install Tor and Privoxy on your Fedora box
#yum install privoxy tor
2. Using the vi editor,as root, edit the privoxy config file to include this line
forward-socks4a / 127.0.0.1:9050 .
This can be found few lines after the line which reads
# 5.2. forward-socks4, forward-socks4a and forward-socks5
comment out the line:
jarfile jarfile
#vi /etc/privoxy/conf
3. Start the privoxy and tor services
#service privoxy start
#service tor start
Start up your Mozilla Firefox. Edit your network settings to include privoxy as your proxy server and tor as your socks server.
We are done. 3 simple steps.
Watch out for my next article when I put up a code for monitoring bot activity on your ssh server running off CentOS,Fedora or RedHat.
:)
Wednesday, January 27, 2010
Lessons to be learnt from the Google-China Attack
After reading several articles about the Google-China Attack, I have come to a conclusion as to what lessons we can learn as a Country or a Business or as Security Consultants.
1. Heed the warning signals in advance: If you have read the Northrop Grumman PRC Cyber Paper Approved Report, written on 16 October 2009, you will see that Google could have averted the attacks. Some of the things I found interesting in that report was the "Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation" which was stated yet Google failed to heed the warning.
In the content to that paper, history of other network exploits were made reference to. How much can we emphasize the need to be on guard and not trust an alleged enemy. Art of War-"Entice the Enemy". Was Google enticed(Social Engineered) in a way by the Chinese? Did Google lay its guards down in the name of trust? These are some of the questions we should be asking about who we trust accessing our IT Infrastructure. I say Trust No One but Your Instincts and actions.
2."Breach-by-design": Many developers ignore warning signals provided by Security Assessment teams and even classify vulnerabilities as minor in some cases. Microsoft has had to face a few of those which have come back to haunt them and affect lots of users. Adobe has faced similar issues too. Microsoft is the most guilty of them all. Vulnerabilities are left in the open and the release of a patch takes ages. There are several articles and online that have proved this. How much can developers be warned to take serious the assessment reports of Penetration Testers and redesign their applications where required. The flaw in the design of the Google App used by the governments of China and USA to provide user data opened the gates for hacks... dont wait to be hacked by your clients.
3. Constant Employee Security Awareness: Remember what happened with the Google employees? They had a reverse reconnaissance done on them including their relatives and friends. If you are a firm, how much do you invest in security awareness for your employees! Its time to raise the red-flag on what information to give out and what not to give out. I think its vital that as Security Consultants we inform clients on the need to have weekly security overhauls where necessary especially when we are meeting new challenges and new techniques of attacking firms around the world.
4. Keep an eye on every log and packet: Sometimes its easy to undermine the need to have a critical log and packet analysis . A colleague of mine always says "logs don't lie". But that is the situation where it has not been tampered with. Hacking inode is becoming a can-do thing even for script kiddies so its becoming a challenge trusting logs. However having a packet logger can be of vital help. Some have found this a miracle in monitoring activities on their network and servers. If you can critically analyse the activities of every packet arriving on your network, sometimes it goes a long way to help you strengthen and beef up security :(
5. No Security Is too Small: Anything human is not 100% efficient, however it does not suggest total ignorance either. Every bit of security measure that can be implemented must be done and constant review of the existing systems in place is very vital. How much emphasis can we lay on the need to review your security strategy at defined intervals.
6. Hire firms cut out for security audits: No pun intended, but hiring an accounting auditor to do security audit is very lame. There are several examples to relate to prove this. Most of these firms come to do the text-book style of audits and run automated tools and produce reports from the tools. For any company requiring security audits I will state that, hiring firms like Redspin or individuals such as Richard Stiennon of IT-Harvest with the skills of running manual assessment is your ideal and trusted solution. Will you trust your surgeon or you GP if you needed a Open Heart surgery? So don't trust the Account Auditors and automated tool test. Get a professional(s) to do a clean job and do not think twice though some times the cost is high.
These are just the few pointers I have gleaned from the Google attack. There are several others to think of that you can include.
I just love to hear that the police have "set up Olympics Crime teams" to combat Cyber crime for the London games :)
Till then, keep h4ck|ng for d3ph3ns3.
1. Heed the warning signals in advance: If you have read the Northrop Grumman PRC Cyber Paper Approved Report, written on 16 October 2009, you will see that Google could have averted the attacks. Some of the things I found interesting in that report was the "Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation" which was stated yet Google failed to heed the warning.
In the content to that paper, history of other network exploits were made reference to. How much can we emphasize the need to be on guard and not trust an alleged enemy. Art of War-"Entice the Enemy". Was Google enticed(Social Engineered) in a way by the Chinese? Did Google lay its guards down in the name of trust? These are some of the questions we should be asking about who we trust accessing our IT Infrastructure. I say Trust No One but Your Instincts and actions.
2."Breach-by-design": Many developers ignore warning signals provided by Security Assessment teams and even classify vulnerabilities as minor in some cases. Microsoft has had to face a few of those which have come back to haunt them and affect lots of users. Adobe has faced similar issues too. Microsoft is the most guilty of them all. Vulnerabilities are left in the open and the release of a patch takes ages. There are several articles and online that have proved this. How much can developers be warned to take serious the assessment reports of Penetration Testers and redesign their applications where required. The flaw in the design of the Google App used by the governments of China and USA to provide user data opened the gates for hacks... dont wait to be hacked by your clients.
3. Constant Employee Security Awareness: Remember what happened with the Google employees? They had a reverse reconnaissance done on them including their relatives and friends. If you are a firm, how much do you invest in security awareness for your employees! Its time to raise the red-flag on what information to give out and what not to give out. I think its vital that as Security Consultants we inform clients on the need to have weekly security overhauls where necessary especially when we are meeting new challenges and new techniques of attacking firms around the world.
4. Keep an eye on every log and packet: Sometimes its easy to undermine the need to have a critical log and packet analysis . A colleague of mine always says "logs don't lie". But that is the situation where it has not been tampered with. Hacking inode is becoming a can-do thing even for script kiddies so its becoming a challenge trusting logs. However having a packet logger can be of vital help. Some have found this a miracle in monitoring activities on their network and servers. If you can critically analyse the activities of every packet arriving on your network, sometimes it goes a long way to help you strengthen and beef up security :(
5. No Security Is too Small: Anything human is not 100% efficient, however it does not suggest total ignorance either. Every bit of security measure that can be implemented must be done and constant review of the existing systems in place is very vital. How much emphasis can we lay on the need to review your security strategy at defined intervals.
6. Hire firms cut out for security audits: No pun intended, but hiring an accounting auditor to do security audit is very lame. There are several examples to relate to prove this. Most of these firms come to do the text-book style of audits and run automated tools and produce reports from the tools. For any company requiring security audits I will state that, hiring firms like Redspin or individuals such as Richard Stiennon of IT-Harvest with the skills of running manual assessment is your ideal and trusted solution. Will you trust your surgeon or you GP if you needed a Open Heart surgery? So don't trust the Account Auditors and automated tool test. Get a professional(s) to do a clean job and do not think twice though some times the cost is high.
These are just the few pointers I have gleaned from the Google attack. There are several others to think of that you can include.
I just love to hear that the police have "set up Olympics Crime teams" to combat Cyber crime for the London games :)
Till then, keep h4ck|ng for d3ph3ns3.
Friday, January 22, 2010
Fedora 13 Count Down
The countdown to Fedora 13 has began and lots of people are feeling the mania.
Will let you know once the beta version is released.
Will let you know once the beta version is released.
Subscribe to:
Posts (Atom)