SecureState Information Security Blog

SecureState Has A New Blog - Come See What You're Missing!

2012-01-12T17:15:00.001-05:00

Don't forget to check out SecureState's new blog site - we recently released a new tool update, take a look here and while you’re at it, visit SecureState's Company Website and see what's going on in our Media Center and browse through our recently released Tools!

SecureState Releases New Tool for Footprinting 802.1x Wireless Networks

2011-06-03T12:38:00.000-04:00

Today, SecureState is releasing a new tool for footprinting 802.1x wireless networks called EAPeak. EAPeak is a Python powered script that is meant to parse useful pieces of information for a Security Assessment of wireless networks that use the Enterprise Authentication Protocol. It relies on the Scapy libraries to parse both PCap files and live network captures. Read more on our new blog site

But My Web Application Uses SSL...Of Course I’m Secure

2011-05-14T12:47:00.014-04:00

SecureState Auditor: What are you doing for web application security?Web Development Project Lead: We use SSL.The Setup: How You Protect Your Web Applications Says A Lot about the Maturity of Your Security Programs - In a meeting with a relatively well known third party web application development company, the question was asked as to what the company was doing for web application security. The

Quit Hoarding

2011-05-05T16:59:00.003-04:00

Evaluate your security program’s maturity before dropping money on a quick-fix “hot” product. Evidently, there is an increasing fascination within the American psyche with hoarding, the excessive collection of items, along with the inability to discard them. This is evident in the popularity of television shows such as “Buried Alive” and “Hoarders”. Read more of this post on our new blog site

Information Policies & Procedures, Part 7

2011-05-05T16:58:00.003-04:00

This is part of an ongoing series on documentation development. Do words matter? Of course they do. There are few places where this statement is as true as in documentation. When developing policies and procedures, we must be very clear about the rules. Must and shall mean, as the name implies, that the action is not optional. May means that the action is allowed, but not required. This is an

“We Have a Vulnerability Management Program…It’s in Our Data Center”

2011-04-21T16:22:00.003-04:00

From Running Scans to Building a Vulnerability Management Program I perform the Vulnerability Assessments and Payment Card Industry Approved Scanning Vendor (PCI ASV) Scans at our information security firm. I have been running scans for over 100 different companies for the last year, and I see the same recurring vulnerabilities again and again. What I have also seen is that people do not

Spring into a New Career!

2011-04-19T10:38:00.000-04:00

SecureState will be holding on-site open interviews on Thursday, April 21 from noon to 6:30 p.m. at the SecureState Headquarters: 23340 Miles Road, Bedford Heights, OH 44128 http://blog.securestate.com/post/2011/04/19/Spring-into-a-New-Career!.aspx

Let’s Go with the Web Application Scan… It is cheaper

2011-04-15T16:25:00.000-04:00

Why a Manual Web Application Security Assessment is worth every penny over an automated tool. Choosing the Assessment: As a Security Consultant for SecureState, I have performed my share of Web Application Security Assessments in the last couple of years, including both Assessments which relied heavily on Web Application Scanners to find vulnerabilities in the web application, as well as

PCI DSS Applicability To Closed Accounts

2011-04-08T15:11:00.002-04:00

We recently ran into some questions from multiple organizations regarding PCI DSS applicability to closed or inactive credit card account numbers. For example, when someone passes away, the disposition of their debts and assets may go through probate. What may happen during this process is the collection of all of the deceased’s debt accounts, including credit cards, to determine how claims will

Penalty Double Ups: PCI Intersects with State Privacy Laws

2011-04-06T14:30:00.002-04:00

A lawsuit out of Massachusetts related to a breach of cardholder data by the Briar Group, LLC resulted in an $110,000 settlement by the company. This is some interesting news, as it shows that penalties for not protecting cardholder data can hit you from both the card brands and regional privacy lawsuits. Although the amount of the settlement is not extremely high, the other requirements coming

The Importance of System Logging

2011-04-05T17:16:00.002-04:00

This blog is more of a success story than anything else. I want to bring to light a small business with less than six employees who properly implemented auditing. As you may or may not know, Windows allows a user to audit Logon and Logoff events. This is extremely important especially when you are trying to figure out who is using, or has attempted to use, your system. Read the entire post on

Ten Ways to Fail at Information Security: Part 1

2011-04-01T17:30:00.002-04:00

Information Security is still an emerging discipline, with lots of loud voices expressing different opinions as to what is the absolute best way to secure your company. Rather than throw more noise into the echo chamber espousing “best practices”, in this series of blogs, I will be taking a different route. Every company does security differently, with varying degrees of success. No single

Taking Data Loss Prevention To Data Loss Acceleration

2011-03-24T14:08:00.000-04:00

“OpenDLP is a free and open source, agent-based, centrally managed, massively distributable data loss prevention tool.” This is how creator Andrew Gavin defines OpenDLP. While this tool could be used to monitor sensitive data on hundreds of systems simultaneously, it could also be used to steal massive amounts of data very quickly. Read more on SecureState's new blog site http://

Is Your e-file Tax Return Secure?

2011-03-24T14:06:00.000-04:00

Find out how secure yours is by reading Ken Stasiak's post on our new blog site here http://blog.securestate.com/post/2011/03/14/Is-Your-e-file-Tax-Return-Secure.aspx

New Vulnerability Alert by SecureState Now Available!

2011-03-24T14:05:00.000-04:00

Find the vulenrability reports each month on our new blog site http://blog.securestate.com/post/2011/03/08/New-Vulnerability-Alert-by-SecureState-Now-Available!.aspx

Cleveland OWASP Chapter Meeting Announcement

2011-03-24T14:02:00.000-04:00

SecureState is proud to sponsor the Cleveland chapter of OWASP and we are bringing back the quarterly meetings by bringing in some of the top speakers in the application security community. This quarter we have web application security ninja Kevin Johnson that will be speaking. The title of his talk is “Ninja Developers: Application Security Testing and Your SDLC”. Read more on our new site

HIPAA: Rx For End-User Device Risks

2011-03-24T13:55:00.003-04:00

HITECH breach notification requirements apply to breaches of “unsecured” Protected Health Information (PHI). Basically, if electronic PHI data is encrypted, purged, or physically destroyed before it is inadvertently disclosed, then it doesn’t count as a breach. Read more at SecureState's new blog site http://blog.securestate.com/post/2011/03/03/HIPAA-Rx-For-End-User-Device-Risks.aspx

Come Out; Come Out; Wherever You Are…

2011-03-01T11:34:00.002-05:00

The title of this blog is typically heard amongst children while playing the game “Hide and Seek.” I use it now as a reference to companies hiding from Privacy Regulations or at the very least avoiding the application of the best practices available when it comes to Privacy Principles. Why Do Companies Hide From Privacy Regulations? Read more on SecureState's new blog http://

But It Was Developed By A Third Party… Of Course It’s Secure!

2011-02-25T11:56:00.002-05:00

Just as internally coded web applications should go through a standard Software Development Life Cycle {SDLC}, third party web applications should also be subjected to an SDLC. For example, an organization’s SDLC may dictate that all newly coded web applications must go through a grey box assessment before going live... Read the rest on SecureState's new blog site http://blog.securestate.com/

Means, Opportunity, and Motive: Point Of Interaction Awareness

2011-02-25T11:55:00.002-05:00

There have been numerous news stories about employees stealing credit card information before it is even entered into your information systems. These are usually occurring out on the sales floor. You can be fully compliant with the PCI DSS, but most of the offenses we are talking about occur outside the scope of what those requirements are designed to protect against. The following types of

New Module for the Metasploit Framework Released by SecureState

2011-02-25T11:54:00.002-05:00

SecureState released a new module for the Metasploit Framework that allows users to brute force credentials on Microsoft OWA servers. The module, written in Ruby, forges HTTP requests (both GET and POST) to simulate a user logging into the web service. By checking the responses, the module determines whether the authentication succeeded and reports the information to the user. This is often

Dispelling The Myths Of Facebook Privacy And Security

2011-02-25T11:53:00.000-05:00

There are many misconceptions about the security of Facebook, Facebook applications, and the frequent scams that seem to plague the world’s largest social network. To help set the record straight, I would like to shed a bit of reality on the most common myths about Facebook security and privacy today. These are real examples of statements that I have encountered regarding Facebook and their

Visa Introduces Technology Innovation Program (TIP) for Merchants

2011-02-25T11:51:00.002-05:00

Visa announced on February 9, 2011 that as of March 31, 2011, Visa will allow qualifying merchants outside the U.S. to discontinue their annual Payment Card Industry (PCI) On-Site Assessment. Visa has introduced the Technology Innovation Program (TIP), which essentially will apply to those merchants that meet the following requirements... Read more on SecureState's new blog http://

FERPA, HIPAA’s Immature Cousin, Says ‘Happy Data Privacy Day!’

2011-02-25T11:50:00.002-05:00

Today I thought it would be interesting to compare HIPAA and FERPA. Learn more at our new blog site http://blog.securestate.com/post/2011/01/28/FERPA-HIPAAe28099s-Immature-Cousin-Says-e28098Happy-Data-Privacy-Day!e28099.aspx

Small Goals Lead to Bigger Results

2011-02-25T11:47:00.001-05:00

Why are there shelves, sometimes figuratively, sometimes literally, full of projects that money was spent on with little end result? Projects left incomplete, never verified as meeting their intended reasons for purchase? Find out more at SecureState's new blog http://blog.securestate.com/post/2011/01/27/Small-Goals-Lead-to-Bigger-Results.aspx

SiteScape Forums TCL Injection Exploit Released

2011-02-25T11:45:00.003-05:00

SecureState released new details on a vulnerability regarding TCL code injection in SiteScape Enterprise Forums. This web application provides a large scale collaborative environment that many organizations use for communication and documentation. This vulnerability, originally released in 2007 as CVE 2007-6515, stated only that SiteScape could be exploited to execute Tool Command Language (TCL)

Picking The Right Lock

2011-01-11T09:43:00.000-05:00

This past weekend several of us attended an excellent two-day training session on lock security offered by Schuyler Towne of Open Locksport. Two full days of picking locks, impressioning keys, and opening handcuffs brought physical security to the forefront for me. It seemed like the perfect time to do an overview of some of the popular non-destructive lock bypass techniques, and the ways we can

Increasing Security With Chroot Jails

2011-01-11T09:42:00.004-05:00

In the world of information security, you have to assume that hackers will get into your network. Whether using a zero-day exploit, sending malicious emails to your employees or taking advantage of poor coding in use on your webpage, attackers are coming for you. Your job as an administrator is to make it as difficult as possible for an attacker to gain access as well as being able to detect and

January 5th, The Most Stressful Day of the Year – But It Doesn’t Have To Be For You And Your Information Security Program!

2011-01-11T09:40:00.000-05:00

Recently I read an article stating that January 5th is the most stressful day of the year. This is based on a number of factors including the holidays ending, work resuming, cold gloomy weather, etc. While I can’t attest to whether this is true, I can share a few thoughts if information security is adding to your stress level! Read the rest on our new blog site - http://blog.securestate.com/

New SecureState Blog

2011-01-07T14:35:00.000-05:00

Check out our new blog site here!

Do Your Homework

2010-12-15T12:10:00.000-05:00

Every one of our competitors says they perform penetration testing. We’ve found that what they call penetration testing often times is nothing more than a vulnerability scan with automated tools. Every one of our competitors says they perform information security risk assessments. We’ve found that what they call a risk assessment is really a gap assessment against a suggestive controls

Why You’re Probably Not Ready for DLP Software

2010-12-09T10:53:00.000-05:00

Data Loss (or Leakage) Protection (DLP) has been a hot topic for a while now, and while as a concept DLP has a lot of merit, most organizations are not ready to implement. The concept of Data Loss is fairly simple; it is the movement of Intellectual Property or Personally Identifiable Information (PII) from its intended place of storage or path of transmission. As a general rule, a known

Reassess Your PCI Scope: Virtual Terminals

2010-12-02T17:19:00.000-05:00

At the annual PCI Community Meeting in September, the PCI Security Standards Council (SSC) made it clear that interpretation of the standard and requirements has not been performed in the same manner throughout the industry. Some of the goals of the new standard are to improve verbiage in order to clarify the intent of individual requirements and understanding how to scope your cardholder data

A (quick) theorem on the symbiosis of Risk Management, Security, Operations, and Audit in a mature Security Program -or - How I Learned to Stop Worrying and Love the Venn

2010-11-23T11:48:00.000-05:00

Recently I had a conversation with a colleague about the relative symbiosis among organizational divisions and how it always plays a huge role in the effectiveness of a given process. We agreed that this is particularly true when that process involves securing information that is critical to the business. Because of the importance of segmenting responsibilities between groups, the protection of

Padding Oracle Attack

2010-11-15T16:47:00.008-05:00

Whenever I talk about the ASP.net padding oracle attack the common response is “we don’t use oracle.“ While Oracle has its own list of vulnerabilities this is not the oracle we will talk about here. The padding oracle attack has been out for a while in applications such as ruby on rails and JavaServer faces. It has gained recent fame due to the discovery of it affecting ASP.net. This

SAQuestionable

2010-11-15T10:25:00.001-05:00

Although the PCI regulation is great for making companies which otherwise would do nothing with regard to security do something, I often find myself questioning the logic of the Payment Brands. Merchants that fall below a Level 1 or rather have a transaction volume less than 6 million annually (with regard to VISA, Mastercard, and Discover transactions) only have to fill out a self assessment

Decoding PHP Backdoor

2010-11-08T09:12:00.031-05:00

I recently received a request to analyze a suspicious PHP page captured from a user’s Internet history. On the surface it was a typical investigation regarding inappropriate use of a company system based upon the name of the PHP page: “sex.php”. But there was more to this page aside from the content that generated the initial concern. It was the probability that pages such as these use common

May I Have Some Security with My Switching?

2010-10-20T10:10:00.002-04:00

Over the past decade, we have witnessed a transition within security. From a product standpoint, we have started to depart from the dichotomy of IT centric versus security focused products. This divergence can be witnessed in network switches. In the past, security was focused on the perimeter with little attention given to the internal network. Behold the security in a box product, the

Want Budget; Use Metrics

2010-10-14T16:56:00.002-04:00

We have all heard the business adage that you cannot manage what you don’t measure. For those in Information Security or Information Technology, this can have far-reaching implications. Without concrete data to query and present, business unit leaders are left wanting. It is difficult to grasp the importance of security or its necessity if there is nothing to back it up. A sound Metrics

The Five-Step Compliance Shuffle

2010-10-07T17:37:00.001-04:00

If you are in charge of IT and/or Security and you do not have that compliance and/or auditor twinkle in your eye, you might twinge each time someone says PCI, HIPAA, ISO, GLBA, SOX, or any other regulation or evil acronym that might be thrown your way. Depending on your environment and your experience with compliance, the hardest part is knowing what applies within your organization. If faced

Join The Community – Cleveland Security Groups

2010-09-16T23:03:00.001-04:00

Say what you like about Cleveland. One thing you cannot debate is Cleveland has a very strong security community. This can clearly be seen in the number of security groups located in the area. In this blog post I simply provide a list of all the security groups I am aware of in the area. I encourage anyone who is interested in security to attend some of these meetings to learn and network

SSL Wars: The Return Of The SSLi

2010-09-09T17:39:00.006-04:00

The content of my last few posts has looked at SSL implementations and vulnerabilities. Today’s post is no different, as I will be discussing the importance of patching vulnerabilities in specific implementations of SSL. I have always found it ironic when vulnerabilities are discovered in technologies which have the sole purpose of providing security. As of late a couple of interesting SSL

Information Security Policies and Procedures, Part 6

2010-09-07T15:19:00.004-04:00

This is part of an ongoing series on documentation development. Please be sure to read the previous posts in this series.Part 1 , Part 2 , Part 3 , Part 4 , Part 5Knowing Your AudienceA natural human behavior is assuming that the majority of the world’s people are similar to us; similar in thoughts, assumptions, knowledge, opinions etc. Psychologists may see this as the consensus effect, a form

Getting OSSEC To Parse Auditd

2010-09-03T16:34:00.002-04:00

“Everyone wants a logYou're gonna love it, logCome on and get your logEveryone needs a loglog log log” – Ren and Stimpy I use OSSEC pretty regularly on Linux and Windows servers. It is incredibly useful because of its ability to parse and correlate a large number of log formats, as well as granularly react to logs based on rules that, out of the box, encompass a large amount of what I consider

Information Security Policies and Procedures, Part 5

2010-08-30T12:56:00.004-04:00

This is part of an ongoing series on documentation development. Please be sure to read the previous posts in this series.Part 1 , Part 2 , Part 3 , Part 4 , Part 6In this installment, we will discuss fonts, and then move on to additional structural elements necessary in documentation, starting with policies.Does the font matter? Certainly. As I mentioned in a previous post, if your

SSL Wars: The SSL Strikes Back

2010-08-26T15:41:00.005-04:00

In my last few posts I reviewed some of the SSL type vulnerabilities. These vulnerabilities were the result of SSL misconfigurations. Today I will address a client side SSL/TLS exploit.How many people do you know who access secure websites by typing HTTPS://www.securesite.com in the address field of their browser? The vast majority of people just place the website name (www.securesite.com) in the

Information Security Policies and Procedures, Part 4

2010-08-26T08:24:00.006-04:00

This is part of an ongoing series on documentation development. Please be sure to read the previous posts in this series.Part 1 , Part 2 , Part 3 , Part 5 , Part 6The formatting and structure of documentation may not seem like the most enthralling topic, and in many (most) ways it is not. It is however one of the most important elements of effective documentation. Delivering information

Hacking Your Location With Facebook Places

2010-08-21T21:04:00.025-04:00

Facebook recently released a new feature called "Places" which aims to tap into the growing location based services market made popular by other social networks like FourSquare and Gowalla. Facebook Places allows you to "check-in" to a location with your mobile device. You can check-in with the official Facebook application for the iPhone or Android or you can use the Facebook mobile site:

The Importance of Validation

2010-08-20T14:11:00.002-04:00

A vulnerability assessment is an important element in understanding a company’s threat profile. When performing a vulnerability assessment, it should include more than just running a scan, printing a pretty report and sending it out to a client, management, or administrator. It must also be about confidence and accuracy. What makes you confident in the report you send to a client, your management

The DDoS Threat: The New Punctuated Equilibrium

2010-08-17T12:42:00.002-04:00

On August 7, 2010, DNS Made Easy underwent an outage that was caused by a Distributed Denial of Service (DDoS) attack. While the outage for many companies was sporadic, it lasted for multiple hours in regions of the west coast of the United States. Over the course of the past eight years, DNS Made Easy has prided themselves on their 100% uptime. A blow like this can affect a company’s public

Information Security Policies and Procedures, Part 3

2010-08-17T11:33:00.007-04:00

This is part of an ongoing series on documentation development. Please be sure to read the previous posts in this series.Part 1 , Part 2 , Part 4 , Part 5 , Part 6While we are still at the beginning stages of preparing to develop policies, procedures, and related documentation, it is important to mention a few things not to do.Do Not Repurpose/Borrow the Work of OthersSearch engines

XFS 101: Cross-Frame Scripting Explained

2010-08-12T13:12:00.019-04:00

Cross-Frame Scripting (XFS) is an attack related to cross-site scripting (XSS) and is commonly misunderstood from both offensive and defensive standpoints. This blog’s aim is to clear up confusion regarding what it means, what vulnerability it is exploiting, and a survey of suggested fixes available.XFS exploits a bug in specific browsers that allows a parent frame to be exposed to events in an

Information Security Policies and Procedures, Part 2

2010-08-10T16:21:00.012-04:00

This is part of an ongoing series on documentation development. Please be sure to read the previous posts in this series.Part 1 , Part 3 , Part 4 , Part 5 , Part 6Knowing which policies are necessary in your environment can be a challenge. Most organizations will have at least some formalized policies. Many of these are in response to legal requirements (HR policies) or specific

A Week of Security in Vegas: Black Hat, Bsides, & Defcon

2010-08-09T00:25:00.006-04:00

Towards the end of summer each year the information security world descends on Las Vegas for a week of training, discussion and the disclosure of a year’s worth of quiet research. I’ve been attending off and on for years, and was joined this year by several of my new SecureState co-workers from Profiling and Risk Management.The week started off with the biggest, and most expensive of the 3

Moving To The Cloud Primer

2010-08-05T16:40:00.003-04:00

Everywhere you look, there are articles, research and analysis on the topic of cloud computing. It has even been termed, “the most significant shift in information technology in our lifetimes.” The positive aspects are exciting and offer many benefits, including access to applications, storage for legacy data, and powerful computer processing -all with the click of a mouse. For companies that

Information Security Policies and Procedures, Part 1

2010-08-03T16:29:00.010-04:00

Note: This is part of an ongoing series on documentation development. Please be sure to read the previous posts in this series.Part 2 , Part 3 , Part 4 , Part 5 , Part 6Policy writing can be a daunting task, and one for which many are not overly enthused. However, Policies and Procedures are an integral part of any information security program. Not only do they provide direction and

Vulnerability Assessments are not Penetration Tests!

2010-08-02T09:37:00.003-04:00

Too often I, as well as many of my co-workers, go into a client and throughout whatever assessment I am working on, general questions come up like, “when’s the last time you’ve had a pen test?” And the client responds, “Ohhh, we do those annually with ‘Some Corporation.’ ” And after looking at ‘Some Corporation’s’ website and seeing what they consider to be a penetration test, I am again

Tabnabbing

2010-07-23T16:20:00.005-04:00

I was recently interviewed on News Channel 5 about Tabnabbing which is a new technique that can be used for phishing. Tabnabbing is where one of your browser tabs changes, usually without your knowledge, to an attacker controlled website. Usually the website changes to something that looks familiar to the victim like Gmail, Facebook or Twitter. This can usually trick the victim to think that

Be An Information Security Green Beret

2010-07-22T15:43:00.002-04:00