Few links i found worth sharing from the week (Wk.20/2010):

Lot of talk about Metasploit now, after the Metasploit Framework 3.4.0 Release

An exploitable VM for testing Metasploitable

For the Pentester > Quickly gathering logins/emails with theHarvester and Metasploit

BTW this Advanced Penetration Testing (APT) – Pentesting High Security Environments content looks impressive

You can have a Open Secure Wireless

Well @securosis & @ashimmy are calling out to Infosec bloggers

Is Twitter Making Us Dumb? Bloggers, Please Come Back

Calling all security bloggers, come out, come out where ever you are

Advice: If you dont want to share dont post it > Why I'm not leaving Facebook

Yes, SIEM technologies have improved > Implementing SIEM

Off-topic:

Dell views net-books as a complement, and not a replacement, for laptops & they are right >

I found this Credit Card Concierge Experiment quite amusing

Posted via email from Ramki's posterous

Advice to Govt. of India after the decision to develop their own version of OS & Software

Note: This advice is offered free with no obligations

The Indian government has set in motion an ambitious plan to develop its own software & operating systems after the spurt in cyber attacks on Indian establishments. I think this is a bad idea and being an Indian i thought of contributing.

The Problem is not with the OS or software, it is with the way IT is managed.

Indian government should look at addressing the management of IT; developing a OS (or software) is not the solution. I am sure existing players can do a better job because they have matured their processes over time and it is really a mammoth task.

If i were to address this problem, i would start with this to-do list:

• Do a risk assessment and then develop a risk management system
• Develop an security management system or adopt some existing system like ISMS
• Create a security plan & include specific plans for departments/units
• Develop security evangelists in government departments
• Implement technical systems like standard hardening like US Fed's or have special a government build

Posted via email from Ramki's posterous

Odds of losing confidential personal data is increasing

This article Electronic Medical Records: The Good, Bad, And Ugly was a trigger to this post.

If you lose your medical record along with 10 or 1000 others will it make any difference to you? I think it will be more traumatic if you are amongst few as the redress modes will be different.

What about losing credit card details?

Imagine now even malware can have QA and botnet is an industry they even run help desk. Added to this (probably) unethical practices like this and sophisticated attacks like this the chances of losing confidential information is increasing.

What are the odds does an average citizen have against these? Maybe high in places like USA & Europe but in a developing country they are pretty low.

Posted via email from Ramki's posterous

Hacking thoughts - Insecure ATM port

Warning:  These are just random thoughts and with lot of presumptions; readers are advised that trying/doing similar activity would be a serious criminal offense and finally I am not a native speaker of English and may have used colloquial words hence no arguments on English usage.

I used an ATM today; this machine of a major Indian private bank was located on the premise of its branch. As I finished and turned to exit I noticed network patch cords connected to the ATM NIC were exposed; it shouldn’t be like this … someone could

a) Take a picture (like I did) and shout at the bank about the lack of cable security
b) Yank out the cord and get the ATM out of order temporarily
c) Rig the I/O (network socket) by connecting a HUB & AP (power socket was inches away) and hack into the bank network

Third is serious stuff, I wondered how one could accomplish this task? here is a possible way...

Requirements:

• HUB & Pocket wireless AP, Laptop…
• Tools (NMAP, Cain and Abel, Wireshark,…)
• A quiet day, companion, crutches,…

Steps:

1) Select a Sunday night
a) Not much of traffic b) Detection may happen only well into business hours on Monday. 

2) Get into the ATM with a companion on crutches
He needs help and this takes care of the security guard.

3) Let the companion use the ATM (just fiddling around like operating) meanwhile do something like dropping papers on the floor and under the pretext of gathering them up; quickly connect the equipment (HUB, AP & power) move something inconspicuous like wastepaper bin (there is usually one) to hide them from normal view.
This takes care of the camera (you are out of the view and just picking up some papers) and the casual glance of anyone (wastepaper bin blocks the gear)

4) Sit in a parked car within range of the AP (I saw a good quiet lane across the road), and…

4a) Check for vulnerable hosts online, PWN and get data, plant back-doors, c&c,…

4b) Or simply capture packets from the ATM interface to check for valuable information

Idea of this post is just to look at the possibility hence kept simple; but this requires lot of skill (which I don’t have :-) ) and may turn out to be taken as FUD phenomenon.

I plan to inform the bank about this weakness let me see how they view it.

Posted via email from Ramki's posterous

NIST Small Business InfoSec document - a guide for small and medium business

NIST has released Small Business Information Security: The Fundamentals a best practice guide for small business, this is certainly a good step forward. Threats for this segment are no different from large enterprices; even PCI council's recommendations Skimming Prevention: Best Practices for Merchants can be used by companies including small shops.

"PCI's Russo says the guidelines are for all sizes of retailers, but are especially geared for helping mom-and-pop retailers: "A small merchant that makes pizza isn't going to know much when someone with a terminal shows up with a business card and says he's there to put in a replacement, but is doing something [malicious] with it and leaving it there,"

Source: PCI Council Releases Recommendations For Preventing Card-Skimming Attacks

However most of these threats can be easily mitigated by adopting some basic systems and NIST document is a excelent place to start.

Posted via email from Ramki's posterous