this is the only reason why facebook is so valuable…

(Error code: sec_error_untrusted_issuer )

ever get this error in firefox?

if i accept a ssl certificate with an attack proxy (such as burp suite) in the middle, then later go back to the same site without the proxy, i get this error.

and i can’t do anything about it.

not fun.

:/

Security Reputation Monitoring

Recently I had a financial-sector client contact me regarding tools and techniques for security and reputation monitoring. The client had recently had their web site scraped and placed under a similar domain. It was apparently a simple identity theft attack (on arbitrary users), but it scared them nonetheless.

Wanting to prevent or minimize the risk of this type of thing, they were in need of some simple reputation and keyword monitoring tools, so we came up with a few immediately:

  • Google Alerts - The best place to do basic reputation and keyword monitoring. You can set up RSS feeds or daily/weekly/instant emails that will alert you when a new page is indexed containing the keyword.
  • Twitter Search – Monitor any time a  keyword is mentioned on twitter. Also very useful.

You’ll want to pick some keywords to monitor. Other folks have talked specifically about what keywords you should be monitoring. It’s also a good idea monitor your website for those specific keywords with Google’s power search operators (inurl: and site:)

  • inurl:KEYWORD
  • inurl:COMPANY.COM KEYWORD
  • site:COMPANY.COM KEYWORD

Then we started thinking about monitoring for more direct IT security issues. Several things came to mind immedately, such as:

You should also be monitoring your domain to ensure you don’t have any google dorks showing up within the domain. You can do that by setting up google alerts such as:

  • site:COMPANY.COM “ORA-00921″
  • site:COMPANY.COM “ODBC”
  • (so on and so forth for the entire GHDB – Note that there are tools out there that help with this, such as MRL’s SEAT, or cdc’s Goolag)

You’ll definitely want to get analytics on your website, and monitor where your users are sourcing from. This will provide additional lists of sites that are linking to you.  There are definitely some IRC and forums it would be handy to keep an eye on. we’ll save that for the commercial version of this article ;)

Thinking a bit more in-depth about what classes of things you’d want to monitor, i come up with a couple classes:

  1. Direct conversation about your company, brand, people, or reputation. (twitter, google alerts)
  2. Disclosure of vulnerability within your company’s software (XSSed, GHDB searches)
  3. Disclosure of vulnerabilities within critical (debatable) software your company is running. (full disclosure,various vendors)
  4. Current threat levels / What sort of attacks are other companies seeing? (isc.sans.org, mailing lists)

Thoughts? Other sources which should be monitored?

SCHED: Black Hat USA 2009 Briefings & Training: jcran’s schedule

SCHED: Black Hat USA 2009 Briefings & Training: jcran’s schedule

gift cards



IMG_0231, originally uploaded by jonathancran.

notice anything conspicuous about those serial #’s?

black hat / defcon parties 2009

in the interest of not biting the hand that feeds (or waters…) us, i’ve reduced the list to a simple listing of the available parties on a given night, unless it’s been cleared with the party host. note that most (if not all) of them are private, and you will need to be on the list / know the secret handshake to get in.

tuesday (07/28/2009)

  • Speaker Party

wednesday (07/29/2009)

thursday (07/30/2009)

  • Securosis/Threatpost Disaster Recovery Breakfast
  • Syngress Tweetup
  • Core Security
  • SecurityTwits
  • Microsoft
  • Security B-Sides
  • McAfee
  • NetWitness

friday (07/31/2009)

  • AR

saturday (08/01/2009)

  • I-Hacked / PaulDotCom
  • EdgeOS

shoot me a message @jcran if you’ve got something to add to the list.

Courvoisier

didn’t get your facebook vanity url?

that’s okay, a vanity phone number will do. google voice now allows you to search for numbers when you sign up. it’s the little things.

snapshot6

and you can find me at: http://www.facebook.com/jonathan.cran. :)

simply awful

i currently have the worst bio i’ve ever seen. must fix that.

fyi, wordpress has issues:
http://seclists.org/fulldisclosure/2009/Jul/0057.html (thank you, core)

A vulnerability was found in the way that WordPress handles some URL
requests. This results in unprivileged users viewing the content of
plugins configuration pages, and also in some plugins modifying plugin
options and injecting JavaScript code. Arbitrary native code may be run
by a malicious attacker if the blog administrator runs injected
JavasScript code that edits blog PHP code. Many WordPress-powered blogs,
hosted outside ‘wordpress.com’, allow any person to create unprivileged
users called subscribers. Other sensitive username information
disclosures were found in WordPress.

custom.dic could really end up being one.

Typing up a report tonight and i realized I had been adding a number of exceptions to my custom Microsoft Word dictionary (‘Add to Dictionary’) . Thinking about this as an attack technique, i realized there’s a whole lot of information leakage in this text file. The (abbreviated) list below may not mean a whole lot to the casual observer, but contained within are a topics that are directly correlated with the work I do.  

Charles
Chris
Edward
Elizabeth
Frontpage
Gates
Halvar
hotsite
JATOBA
Metasploit
Nessus
NeXpose
netcat
nmap
Petrovski
RAPID7
Thayer
Tolson
Vulnerabilties

Are you forensics guys catching this? You can find the Microsoft Word custom dictionary here: C:\documents and settings\[username]\application data\microsoft\UProof\custom.dic  and the corresponding Vista+ path under \Users.

I did a quick search for a database of files that might be of interest in a forensics investigation. Nothing came up. Anybody know of a list of such files? Depending on the use of the machine under investigation and the software installed, this would certainly change. It may be sufficient to grab just the \documents and settings or  \users directory, but a list of database of  files relevant in most forensics investigations would be useful.

Google Voice (was Grand Central) is a pentester’s best friend

Google Voice turns out to be really handy for phishing attacks. When you send out a phishing email, it’s useful to include a phone number, in case of any issues with the attachment, link or other payload.

Google voice gives you a (new, anonymous) number which you can route wherever you’d like (cell, office, etc). Additionally, you can configure your voicemail to quickly impersonate the local admin, or security officer.

The killer feature, however, is the voicemail recording and transcription. Never again do you have to wade through a voice-driven mail system. Now, it simply dumps into your inbox for easy inclusion into a report. Additionally, you can download, email and share (via unique URI) voice messages.

Good for demonstrating that you can’t trust links AND phone numbers.