Thursday, October 30, 2008

Spamming Friendster: Video links and blog spam

Spam on Friendster has taken a clever turn: using static images of a clickable video to get hits on sites.

It looks like this - normally users will simply click on the apparent video link.


The URL behind it, however, is a spam link to a blogspot blog. Time to remind our users that clicking on things they don't expect or that are from people they don't know is a bad idea.

Friday, October 24, 2008

Easy Packet Capture Using Network Miner

Network Miner is a great simple packet capture and search utility. The interface is simple, easy to understand, and provides many of the frequently desirable searches in one place.

Network Miner's Sourceforge site says:

NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows that can detect the OS, hostname and open ports of network hosts through packet sniffing or by parsing a PCAP file. NetworkMiner can also extract transmitted files from network traffic.
You'll need WinPcap to run it, but once you have it installed, you're ready to start capturing packets.

What can you do?

Network Miner's main interface is an easy to navigate tabbed menu. By default, you'll see hosts.


From there, it is simple to select files, which will show files transferred while sniffing - in this case, I opened Google in Firefox.


You can also see images, which display in the window. Note the Google logo from the packet capture.


While both of these capabilities are fun, other automatic filters are likely far more useful. You can select Credentials or Cleartext and you'll see userids and passwords that are sent, and the plaintext sent over the wire, respectively. Both can be extremely useful in troubleshooting. An easy example is checking to see if credentials for a website are being sent in plaintext when they shouldn't be, or if a cookie contains a string you don't want to be sent.




Network Miner also includes the ability to view DNS queries, frames, parameters, keywords, and protocol anomalies. You can sort entries based on IP address, MAC, hostname, packet count, byte count, and ports open.

While Network Miner isn't as flexible as WireShark, it provides an extremely approachable interface, and makes packet capture much easier for those who need the basic functionality without the complexity of a full featured solution.

Monday, October 20, 2008

OS X CLI tricks: Empty Trash Securely

Thanks to one of my local Mac gurus, here's a MacOS security tip.

If you'd like to set secure delete to occur in MacOS 10.5, you can either set it via the GUI (
Finder --> Preferences --> Advanced --> Empty Trash Securely), or you can set it via the CLI.

To set it via the CLI, you can use the defaults command.

First, check your current setting:

defaults read com.apple.finder EmptyTrashSecurely

Next, set the setting using defaults write:

defaults write com.apple.finder EmptyTrashSecurely 1

You can log out, then log back in, and your settings will carry over.

Wednesday, October 15, 2008

The Intersection of Can and Shouldn't

Every IT staffer knows that there are times when technology supports capabilities that can make a solution work, but which shouldn't be implemented. A co-worker phrased that nicely recently - "that's the intersection of can and shouldn't".

What intersections of can and shouldn't have you run into? My best example recently? Overly helpful helpdesks.

Often, help desk staff have access to a lot of data, allowing them to assist with various cases and events. Unfortunately, this leads to the inclination to be helpful outside of the scope of IT technical support, and can lead to additional risk exposure for an organization. In this case, training has to overcome the highly ingrained inclination to be helpful - something that help desks are designed to do.

Oh, and just because you can fix NAT issues by using your inline IPS or other packet filter to change them to the correct IP doesn't mean that you should...

Friday, October 10, 2008

ATM skimmers with SMS notification hit the scene

ZDNet has details on a $8500 ATM card skimming device that does automatic SMS notification when it captures data. Interestingly, the system also provides greater security for the person running it, preventing data capture and code based exploits. The article is worth a read if you're interested in the state of the art in skimming attacks.

Thursday, October 9, 2008

Security Humor: Comcast Listens

Comcast has been heavily advertising their "Triple Play" service, which includes VoIP telephone service. I opened my mailbox the other day and realized that their recent survey message may not have the intended interpretation in that context.


I wonder if their marketing team read this one carefully...