torstai 26. marraskuuta 2009

Finnish telecommunication companies like TeliaSonera, DNA and ELISA cuts hundreds of Internet connections…Bastards

Finnish telecommunications have started to cut their customers Internet connections because there is a threat that a worm has gained access to their computers… I mean WTF its everyone's personal responsibility that their computers security is up to date. I really wonder that what is behind all this shit for real… If you do not know how to secure your computer so maybe you should get a MAC or install Linux on your computer.

The only thing that telecommunication companies are responsible is to provide access to Internet, now they are just trying to take more power from the customer. The best part of all this is that for example TeliaSonera offers help from their help desk for the customer but it just that it costs 2€/min what a rip off... I believe that they will again raise the prices of the connection, like it does not cost enough yet (in some parts of this country it costs something like 70€ for 2Mbs)

My tip for all of you, REBEL AGAINST THEM, RAISE A LITTLE HELL IN THEIR OFFICE, THEY CAN DO MANY THINGS IN THE OFFICE ALSO EVEN IF THEY SAY THAT THEY CAN'T…

CR3SC0 

keskiviikko 25. marraskuuta 2009

YouTube Music is…


tiistai 24. marraskuuta 2009

Mario eating Shrooms…


Regular people




CCC 26C3 Here be dragons…

Just got approval from my employer to go to the annual CCC conference in Berlin Germany on 26th of december….. wuhuuu its going to be so cool 4 days with my own kind of people around me. I booked and payed the trip already….

maybe i need to take my BackTrack4 machine with me there or just run it from the mac…





Cr3sc0

A Simplified Astaro UTM now FREE to businesses

Disclaimer: I was given a demo license of the new free business product to break/review. No money has traded hands. This is my brutally honest opinion of the product.

I’ve played with a gambit of Astaro products, and personally I really hate UTMs, just like I do All-In-One Printer/Copier/Faxes. One thing breaks, they all do. However, Astaro’s .. before I go into my opinions of the product, or get on any soap box, here are the facts:

1. Astaro Security Gateway was free for home use already
* (works awesome for VM demos)
2. On November 16th 2009, Astaro Security Gateway “Essential Firewall Edition” is now FREE to any business that wants to run a copy.
* Essential Firewall Edition is basically a enterprise grade firewall w/ VPN and some reporting.

Why I like this product is not because it’s Astaro, but because it’s the bare essentials. It’s exactly what a small to mid size business needs for you to stop getting calls from your friend at 5 AM asking why the Linksys you put DD-WRT on to be slick is down.

There is no better gift you can give a business as an IT/Security guy, then the ability to see and log. Test it out, you’ll be amazed at what you see on your network.

Like I said initially, this is a brutally honest post, and I whole heartedly believe in FREE, and one tool for one job. However so far it’s been all fluff and daisies. In coming posts, I’ll show how it, and other free alternatives break, or stand up from an attack point of view.



On a site note, it works flawlessly with the iPhone ;-) – Use public wifi with no less fear, when all of your traffic is going through a VPN automagically. That’ll make the boss happy.

Password/wordlist

Brute force, even though it’s gotten so fast, is still a long way away from cracking long complex passwords. That’s were word lists come in handy. It’s usually the crackers first go-to solution, slam a word list against the hash, if that doesn’t work, try rainbow tables (if they happen to have the tables for that specific hash type), and then the full on brute force. Some would say those first two steps are reversed, and it really is the choice of the the person doing it and the word lists they have to work with.

Matt Weir and company created a cool tool that has the best of both worlds, Dictionary based Rainbow Tables with Dr-Crack, which you can find here:

http://reusablesec.googlepages.com/drcrack

But, back to the reason of this post, word lists. Where do you get them? Here are a couple of my favorite places in no particular order:

http://www.packetstormsecurity.org/Crackers/wordlists/
http://www.theargon.com/achilles/wordlists/
http://www.openwall.com/wordlists/
http://www.outpost9.com/files/WordLists.html

I like to keep 3 size word lists:
1. small and fast: usually based on the output of one of the tools i’m about to tell you about
2. medium: this is my custom list that I add passwords I find / crack and generally think are good to add. I’m pretty picky about what goes into this list
3. huge: any wordlist I come across gets added to this list, it gets sorted and uniqued and restored

Now the two tools that I like for the small list is are CeWL and wyd

CeWL – http://www.digininja.org/projects/cewl.php
Wyd – http://www.remote-exploit.org/codes_wyd.html

They have some very similar lists of features, your mileage may vary. But they basically parse files and web pages for words and generate password lists based on the words found.

Simplicity is Security

Per the best of the best in presenting, what breeds a good presentation slide deck? Simplicity

I want to pose a statement. “Simplicity is Security”. The reason I say this is that this day in age, at least in the US, ‘convenience’ is king. And we try to protect those conveniences with ’security’. Let me start over a bit, this train of thought all started when I started to explain the insecurities in WiMAX to my wife. We saw a WiMAX device that plugged straight into your computer. I told her this was bad because by connecting to this you have no barrier between you and the ‘bad guys’ other than possibly the Windows Firewall. Her answer surprised me. ‘So?’ is all she said.

Japan doesn’t use ‘Check Cards’ or even really credit cards for that matter. To get such a card you need to go through a book worth of paper work, so it’s just not ‘convenient’ for most people, so they don’t get them. So guess what? They don’t bank online, and they don’t buy stuff online. I racked my brain to figure out what possibly could be on her computer that a ‘bad guy’ would want. I couldn’t think of anything (maybe you can). The government relies on paper backups of anything electronic (so they hardly make electronic versions). Signatures are based on stamps that are difficult to copy. The worst a hacker could do on her computer is use it as a zombie, and even then, their ISPs detect and disconnect excessive use.

Where did we as “Security Professionals” go wrong? Was it the fat paychecks we wanted? Was it the fear of the ‘underground’? Reality seems to dictate that we will continue on this path from the analog to the digital, from paper and clerks to networks and AI. The question I want to ask you though is; Should we continue down the path of “MORE SECURITY” or should we deviate a bit for simpler, possibly non-technical practices?

In these last two posts you may assume that I favor the Japanese culture and way of life over a US one. You would be mistaken, I simply learn, take the best parts of what I learn, and try to apply them where I can. Learning from others triumphs and defeats, strengths and weaknesses is a basic human function that we a humanoids should embrace.