MBSA (Microsoft’s Baseline Security Analyzer) tool is now available. I’ll be downloading to play with it later.
Microsoft have released a beta of Shared Computer Toolkit for Windows XP that is suitable for computers in shared access such as libraries etc. It has features such as resetting the boot partition back to the administrator saved configuration each time the machine is rebooted (unless the administrator specifies that changes should be saved), Windows restrictions, policies etc. Looks like it could be handy (although I’d need another machine to try this out on). The local library had a copy of limewire installed on their desktop machine the other day that managed to persist after a reboot. Seeing as though this machine is *meant* to be locked down I’d like to know how that managed to get installed on the machine.
I’ve stopped (hopefully) people using my bandwidth to host their forum signatures by preventing hotlinking on this site. Hopefully that will reduce the amount of people requesting images without affecting anything else weird on the site. If you spot anything that is wrong then please let me know!
I was looking at xetrade (online currency conversion from GB pounds to US dollars and there are a few security issues I’m not happy about. Looking at Loosewires post on phishing they have the same issues – they will ring you back to confirm some bank details (which could be open to interception/spoofing.)
They then have some more worrying security issues.
- They require you to fax or email copies of your passport/social security number/birth certificate to an email address (which is stored on an exchange public folder). The fact that email is not secure is drummed into people yet they are using this method of communication to verify data. Surely a secure upload facility should be enabled on the website (the rest of the login procedure is ssl encrypted).
- Their SSL certificate expires in 3 days time – this makes me nervous.
- The “contact us if you have any security questions” link at https://www.xe.com/fx/background.htm is broken, tells you to inform the webmaster but doesn’t have a link to the webmaster for this site (it assumes the referring link comes from another site.
I’ve put these questions in an email to xetrade – will be interesting to see what they say.
xetrade reply, answering all the questions I posed (phew!)
1) We do offer a secure upload service which can be found at:
As you can see from the address (https) this is located on our secure server and will upload the files directly to our system with no public exposure.
2) The security certificate has of course been renewed and is already on our server. However, in order to complete the process we need to re-start the web server which is something we do not like to do without preparation. For your information, the new certificate should be uploaded within the next 24 hours, and most likely some time later this afternoon. Please feel free to check back at any stage to see the new certificate.
I have reported the broken link and this has now been updated. We are very careful to ensure that all of our links work correctly and I am very sorry that this link was broken. Thank you for bringing this to our attention.
3) We do understand this concern. Generally, we initiate the call to you using the supplied telephone numbers which helps us to ensure we are dealing with the person who signed up for the account. Once we have initiated the call and spoken to you, we are happy for you to call back to us to continue the conversation on our contact numbers in order for you to cross reference and check that the person you are speaking to is part of our organization.
Once again, we do fully understand your concerns, Andy, and are happy to work with you as necessary so that you are confident you are dealing with the correct people. We must however do this from within the frameworks that we are provided to ensure that we are not helping clients to launder money or fund terrorism.
I hope that this helps answer your questions but if you require anything else do not hesitate to contact us.
Before deciding to work at home, one should be well aware of certain home business facts. Not every home business opportunity is bound to succeed. And working from home does not always mean huge bucks. Just like other business opportunities there is a fifty fifty risk involved.
Whoppix is a customised knoppix bootcd for security testing (and hacking) and the main website also has some very good video tutorials on how to use some of the tools. One of them shows how to crack wep in 10 minutes (although the wep they crack is a 64 bit code and if you are using wep then you *are* using a longer key aren’t you????). As an aside, my firefox seems to hang at the end of the camtasia show but it does eventually get back to my control.
Security Forest also contains some information too.
I sat through the Social engineering webcast from the Digital Blackbelt website which had some interesting ideas about how successful social engineering hacks can be. I had actually read/heard about most of them from various sites but it did have some good ideas. (Google Hacking for penetration testers is a great source for things like this and a very interesting read. Written by Johnny-I-Hack-Stuff)
The weird thing is that it was aimed at developers, but none of the things discussed were really aimed at developer accounts, more at physical security, passwords etc. I was really expecting things on how to code to avoid possible social engineering attempts – such as when providing “forgotten password” functions on the page, don’t insist that users have to use your secret questions as often mothers maiden names are not actually that secret. (I’m the Andy that gets quoted at the end of the talk (twice))
Don’t get shocked or excited! I went to look at my site at the library yesterday and found that it was blocked. This is the first time that I am aware of that my site has made the filtering engines and been classified. Apparently it was blocked as it is on a server that hosts pornography or free sites. I know for a fact that it doesn’t host free pages and there may be some sites on the server that have adult content. However, blocking by ip address seems pretty drastic as using ip to get to the server fails as it relies on the hostheaders to direct you to the appropriate virtual server/directory on the machine – instead you get a “no website exists at this site” message.
I’ve contacted the library and SecureComputing.com who make the filter to see if I can be removed. (The library assistant didn’t have the correct password to temporarily override the filter when I asked)
There’s a work around for the idn flaw which involves creating a file on the local machine. Looks complicated for a non-techie to install but works by only allowing alphanumeric (a-z and 1-9) as characters in a url. I guess it won’t be long before an official patch comes along though.