Paypal / eBay security done right!

Protect yourself from the 0-day's, keyloggers, and Trojans with RSA SecurID token for Paypal and eBay . These have been around for over a year now, so if you don't have one of these yet sign up right away (if you use eBay/ PayPal). A security token (random 6 numbers generated every 60 seconds) will be used in conjunction with your password every time you log into eBay and Paypal. Therefore, if someone had stolen your password they would also need your keychain (hard to pull off from Moscow or Kuala Lumpur). It's only $5 and while not impossible to defeat it offers a great deal of protection from account theft.

As you know for every protective measure there is a counter-measure, once authenticated if someone steals your cookie they can masquearade as you. Paypal is currently vulnerable to xss attacks btw..

How I saved about $50 a day on my rental car in Las Vegas

So, while in Las Vegas I wanted to try out the Toyota Prius (Hybrid). The only catch was that it cost about $89 a day, while the economy cars (same size, but gas powered) costs $39 a day. I understand that a Prius is fuel efficient, however I'd have to do an awful lot of driving to compensate for the extra costs, and seeing as how I didn't plan on leaving a 10 mile radius, this was awfully hard to justify. Fortunately I found this website called RetailMeNot which contains user-submitted coupon codes for various websites. Because I won't always remember to check first before making a purchase I installed a firefox plug-in that will glow green whenever I'm on a website that has a coupon code available. The code that was available at the time was for a Hertz employee friends & family rate which shaved about 50% off the cost of the car. When I traveled to Europe this fall, I also saved about 35% using the same code, and rented a Mercedes Benz CLK, convertible, navigation, running across several countries and there were no questions asked about the discount :)

If you use Hertz, I do recommend the online check-in, print your receipt and scan it at the Kiosk when you get there, the less human interaction the better :)

Keeping the bad guys out of my network

I've been looking for a Geo-IP block list for Cisco hardware that will allow me to drop packets sourced from malicous folks like Russia, China, Brazil, Eastern Europe, South American, All of Africa.. you know, most of the world. There are a lot of people on the internet these days, and traffic from certain sources has an extremely high probability of being malicous, and exteremely low chance of being legitimate. Well I haven't found exactly what I'm looking for yet, but one thing that is handy, if you don't know about it already is the drop list from spamhaus.

This list is updated regularly, which means you would need to update regularly.

Here is a guide on automating the udpates to a linux box running ip-tables.

There is another block list on Dshield

While these are decent I'm looking for something much lager the deals not only with spammers, malcious IP's but hostile countries all-together. If you know of something good please comment.

The time has come... to put AV on your MAC :-(

For the past few years I have enjoyed the "Security through obscurity" lifestyle, avoiding the malware trends while using my Macbook Pro laptop. Unfortunately Apple has put itself on the map as a malware target as you may have noticed with last weeks mass infestation with the iServices.A Trojan. While this should have easily been avoided by downloading software directly from apple, then using the key from the bit torrent site, oppoosed to downloading the software from the bit torrent site, many people blindly downloaded this app and installed it, and my bet would be that less than 1% knew what was happening in the background. As if the bombardment of browser bugs, click jacking, xss, and DNS vulnerabilities weren't enough, now I have to worry about infected mac-warez :-(.

Today I broke down and installed AV on all of my mac's which I could have done a while ago, but figured that it wasn't worth the hassle. I'm using ClamAV for OSX (ClamXav). While there are a few vendors offering mac-based AV solutions, I seriously doubt any of them are putting much work into the mac product, and that it will miss the latest trends anyhow, so instead of paying McAfffe $90 I went with the free solution (but donated anyhow). If you are familiar with Cisco Security Agent ( a great HIPS product in my opinion) you know that this is also based upon clam-av, so it can't be too bad :) Cisco was partnering on several solutions with Trendmicro before they offered CSA with intergrated Clam.

So in a nutshell, Cisco likes Clam, it's priced right, and it runs in OSX, go check it out :)



*Note: You may also notice that there is a .plugin file that you can integrate clam into the shell, allowing you to simply right-click on directories or files for quick+easy scanning.

Get it today!

Coupons without the work.. plus MLM.. well done.

Today I discovered "The sweeter deal" which is a website, hooked into affiliate programs, but then they split the cash with you and your friends! Any time I see something of this nature I am skeptical, but after quite a bit of reading they have me sold. Basically if you are going to purchase something, search through their link to buy it, they get a referral bonus, but then they split it with you. I was like hey wait a minute, couldn't I setup my own site and get 100% of the referral.. yes probably but I don't have the time, and here it is ready to go.

So long story short, get 50% of referral fees which are getting paid out anyhow! These people have done all the work, and you still get .5-10% back from your purchases (depending on the site). It's kind of like using a points card to get that 1% cash back, but there are stipulations, limits and sometimes fees. This is a free service, so unless you are going to code your own referral system, use this, it's a no-brainer!

Sign up NOW!

Quick and dirty network sweeps.. Angry IP Now for MAC / Linux

As everyone already knows nmap is the scanner of choice, unless perhaps you are performing simple scans from a Windows environment. In my experience running nmap from Windows is painful if you are used the speed you get while running it from unix. I would often suggest that Windows users move to a real OS (*nix based) or switch to a different scanner. The scanner I enthusiastically recommend is Angry IP, it's lightweight, free, and quick. While discuss scanners with a peer today I became aware that Angry IP has been ported to OS X and Linux. While this will have a smaller audience (due to the fact that nmap does such a great job here) it's still nice to have. My wife is an entry-leven network tech and she's mac based, so while she can use nmap, she does not share my passion for the CLI (understandibly) and while the nmap GUI is really nice, it's more function than she needs. So for a slick easy scanner I can recommend Angry IP for all platforms now.

IKE Scan

When performing audits you can simply sweep for UDP 500, which may indicate that a remote device is listening for IPSec connections, but that's about it. If you were looking for a bit more information you could use ike-scan which will interrogate the remote device and disclose the policy set (aka security parameters). Like most tools I blog about it's free and compact :)

IKE scan can be found:
http://www.nta-monitor.com/tools/ike-scan/

Sample output:
67.78.31.242 Main Mode Handshake returned HDR=(CKY-R=6e69a811525dc72e) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)

DNS mining.. Fierce.pl

Ok, so you know those times when you discover that diamond in the rough, the extremely useful yet previously unheard of tool that makes you want to shout to tell the world about it, only to find out that your friends already know... you wonder to yourself, well why the heck didnt' they tell me?
This post is to save the people I know from the aforementioned scneario. Fierce.pl is a perl script (O rly?) that can be used to discover hosts of a target organization simply by performing DNS resolution against a dictionary file. The dictionary file included isn't bad, however I've extended mine by merging with other world lists and gotten better results.

Long story short, fierce is a super handy tool for discovery resources that is lightweight and easy to use. It's been around for a bit, I'm just making sure that you know about it :)

Fierce can be found here
http://ha.ckers.org/fierce/

DNS rewrite on PIX / ASA firewalls, MYSTERY SOLVED!

Ok so DNS Doctoring (aka dns rewrite) on the PIX's and ASA's have stumped me for some time now. I've implemented this a number of times, and sometimes it works flawlessly, other times not at all. Today it all became clear.

First off, what is DNS rewrite? When an internal host makes a query to an external DNS server about an internal resource the IP address returned will be external (see image) . In other words the host making the query is on the same network as the webserver which is Cisco.com. When the user queries a DNS server, for instance Verizon's DNS at 4.2.2.1, the answer returned will be a public IP. If you look at the static DNS mapping, within the ASA's configuration you will see that the public IP is mapped to an internal IP. Well, DNS rewrite monitors DNS traffic, and if a DNS reply contains an IP address that is used in a static statement it will alter the DNS reply to point to the inernal IP( again see image). Therefore, the client connects to the internal resource by it's actual IP address (not the static NAT). Where is the mystery then? Well I have configurd this many times, it's straight foreward, but it doesn't always work.














It turns out that if you are using static PAT, so a single IP address on the outside, doing port forward to different servers on the inside, DNS rewrite simply does not work, it's documented here:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#req

If you have individual IP's for each server it works fine.
This has eluded me for years but became clear today :)