Thursday, April 30, 2009

10 Security Tips When Traveling with Your Laptop

I wrote these 10 tips with reference from Internet sources and my personal experience. When I did security consulting I traveled a lot, the best tip I can recall is that I wrote something in the default paper card inside my laptop bag: "If you get this laptop, please call xxxxxx (my cell number), I will give you CNY1500 in cash face-to-face!" -- enough money for an old IBM R51. But fortunately my laptop didn't get lost for years, so I could not confirm this tip works or not:)

Another tip which is not included below is to eject your harddisk from laptop and always keep it with you before boarding plane.

  1. Back up valuable data before traveling. Use a removable storage to back up your important and sensitive files and keep it in a safe place.
  2. Avoid traveling with a laptop bag that is obviously meant for a laptop. The more generic looking your laptop bag is, the safer your laptop will be.
  3. Don't put your laptop in your checked luggage.
  4. Label your laptop with your name and contact information. This will help airport lost-and-founds contact you easily.
  5. Be careful at the security checkpoint. Always wait for the person in front of you to leave the area first. It is common practice for thieves to create a distraction and snatch a laptop when it's out of its owner's hands.
  6. Never let your laptop out of your sight. While you are at the airport -- in the bathroom, on the phone, or in the lounge -- always keep your computer bag on your shoulder.
  7. Once you board the plane, keep your laptop bag under the seat in front of you. Don't put it in the overhead bin, where it could get stolen or damaged.
  8. Be alert to who can see your laptop screen when working on a plane or other public place. Use a notebook privacy filter when you must work on confidential information in public locations.
  9. Put your laptop in the hotel safe when you are not using it. When you go out of hotel room, you should place your laptop in a secure cabinet in your room.
  10. Keep your firewall open and update to latest anti-virus codes. Especially when you access internet from hotel room or Internet cafe, block all incoming traffic.

Tuesday, March 17, 2009

Book: Hacking Exposed, 6th Edition

Best hacking book by former Foundstone guys just released the sixth edition!

  • New chapter on hacking hardware, including lock bumping, access card cloning, RFID hacks, USB U3 exploits, and Bluetooth device hijacking
  • Updated Windows attacks and countermeasures, including new Vista and Server 2008 vulnerabilities and Metasploit exploits
  • The latest UNIX Trojan and rootkit techniques and dangling pointer and input validation exploits
  • New wireless and RFID security tools, including multilayered encryption and gateways
  • All-new tracerouting and eavesdropping techniques used to target network hardware and Cisco devices
  • Updated DoS, man-in-the-middle, DNS poisoning, and buffer overflow coverage
  • VPN and VoIP exploits, including Google and TFTP tricks, SIP flooding, and IPsec hacking
  • Fully updated chapters on hacking the Internet user, web hacking, and securing code
Amazon Link

Monday, March 16, 2009

Using WebGoat to promote awareness of web/app security

WebGoat by OWASP is a good platform to learn and practice web application security. For me, I just used it in a meeting with our app development and operation teams to show how a web app could easily be compromised due to lacking of security consideration in design and maintenance phase.

As far as I know, the feedback is good, and they started to show interests and ask questions on web/app security. Instead of boring slides with statistics such as threats trends, defaced pages and phishing sites distribution, WebGoat is a good tool to show your expertise to convince technical guys.

Another tool to work with WebGoat is WebScarab, a http proxy to intercept client request and server response, allowing you to modify data, that means, launch an attack.

Friday, March 13, 2009

Is patch severity rating worthy of accuracy?

In security community, there is a common used standard to evaluate a patch or a vulnerability called CVSS. Many product vendors such as Cisco use it to give a score for patch of their product, and also security service vendors such as Nessus, Qualys and IBM ISS also use CVSS to calculate a score for patch when supporting their vulnerability scanner, IDS, or patch notification service delivery.

So here comes the problem. For a certain Microsoft patch, Microsoft uses its own rating method to give a severity rating, usually rated as Critical or Important. Security vendors can not just copy this rating because Critical patches are too often from Microsoft and they are not as so Critical as they appear. So other vendors create their own rating method too or just follow CVSS. Of course we can guess the result now: different vendors have different rating for the same patch! I don’t want to show examples here because everyone knows that.

Let’s back to enterprise environment, security team delivers patches with their severity rating. How could the rating be accurate because the community has different ratings around? In my opinion, only most critical vulnerabilities should be considered as High or Urgent rating, such as MS04-011 and MS08-067, which could lead system been took over easily by script kids and automatic worms. For other patches, should be considered as Medium or Low depends on its mechanism, no accuracy needed between Medium and Low. Operations team just needs to focus on High severity patches which could affect company business. This should be defined in company security policy with different time frame requirement. So policy maker should understand these facts to write proper policy make operations team’s life easier.

Tuesday, January 6, 2009

CVSS2 Base Score Offline Calculator

On FiRST site only v1 offline calc can be found, and all v2 calc are provided as online now. So I modified the v2 excel calc from the v1 one with new equation, but it still took me 2 hours to make it.