Information Security Short Takes

Google's Ratproxy Web Security Tool for Windows

2008-06-19T12:27:00.000-07:00

In our previous post, we announced the new security tool - Google's ratproxy. It functions as a proxy, much like paros.
Shortinfosec has compiled ratproxy v1.51 on windows.

You can download compiled ratproxy-1.51.exe for Windows here

Verification sums:
ratproxy-1.51.exe SHA1SUM 42dbe6ffa00a3987f32b19a7c6e9ca84240db157
ratproxy-1.51.exe MD5SUM c41acfd5ab7874dfef3970ac52eb2a9b

In order to run it, you need to download and install cygwin runtime, since ratproxy is dependant on several cygwin libraries. Do not forget to update your path variable to include c:\cygwin\bin.

Quickstart
To run it, use the following steps

create a report directory (report_outdir)
type ratproxy -v report_outdir -w report_filename -lfscm
reconfigure your browser to use proxy on address localhost:8080
Start browsing, ratproxy will create reports.

Report parsing
Copy the report generator from this location, and create a file from the text. It's a bash script, so You should run it from a cygwin shell. Make sure that it's a UNIX formatted file (LF/CR), otherwise the shell will report errors.
http://code.google.com/p/ratproxy/source/browse/trunk/ratproxy-report.sh?r=9

It creates a HTML report from the raw report generated by ratproxy.

Related posts
Ratproxy - Google Web Security Assessment Tool

Talkback and comments are most welcome

Information theft - Minimize targets of opportunity

2008-06-19T12:26:00.000-07:00

Information theft is not always a planned and systematic process. A lot of people can become attackers should an opening present itself, for a several motives, most frequently greed. To minimize such incidents, a company needs to be vigilant against "targets of opportunity" within their company.

By a military definition, a target of opportunity is a visible target within range of available weapons against which attack has not been scheduled or planned.
Similarly, by an information security definition, a target of opportunity is an unmonitored information carrier resource within grasp that not been scheduled or planned for theft.

Under both definitions, an attacker might decide that the target is valuable enough to be taken, and performs an attack.
Information Targets of opportunity can take many forms:

Unattended confidential documents left in an unmonitored environment (on the desk in an empty office, in the coffee room, on the network printer, on the photocopier...
Unattended information carriers (USB, CD-ROM, smart card, laptop) left in an unmonitored environment. Stolen for any purpose, most simply because USB's can be used or sold. Whatever is contained therein is additional value
Unlocked (and open) documentation cabinets in visitor accessible spaces. All it takes is for someone to reach in and grab a set of papers, for later review.
Unattended key chains with keys to documentation cabinets - simple walking and taking a key-chain can go utterly unnoticed
Unattended Laptops in public spaces (left in airport lounges, cafes, malls unmonitored laptops can easily be stolen, simply for the face value of a computer. Any information contained therein is additional value
Improper transport or transport by unauthorized personnel of systems from IT to the business or from the business to IT - unmonitored systems due to improper transport can be stolen or dismantled, simply for the face value of the components. Any information contained therein is additional value

There is no systematic method to deem which targets will be deemed valuable enough by which attackers, so a company needs to cover all possible bases.

Controls to minimize Information Targets of opportunity:

Create and rigidly enforce formal company procedures for clear desk policy (no unnecessary documents left on the desk)
Create and rigidly enforce a formal company procedure for securing of all media containing company information
If technically possible, encrypt content on all media containing company information (especially USB and Laptops)
Where technically possible, implement self-locking document cabinets with a non-contact lock, so there will be no keys left in the lock
Where technically possible, implement authorized printing on network printers - the person who printed a document has to authenticate on the physical printer before printing commences, thus confirming physical presence of the owner of printout.
Where legally allowed, implement video surveillance. Video surveillance is always an excellent deterrent for attacks of opportunity, since they are not systematic.
Create and rigidly enforce system transport rule set - who is authorized to take, transport and deliver a system from the business to IT and vice-versa. Never entrust an outsider with such transport, regardless of personal trust, unless formal contracts and security verifications are in place.

Risk of losing backup media - real example
8 Tips for Securing from the Security expert

Talckback and comments are most welcome

post1

2008-05-02T12:05:00.000-07:00

sdfklasjdfkaj;sdfksdfklasjdfkaj;sdfksdfklasjdfkaj;sdfksdfklasjdfkaj;sdfksdfklasjdfkaj;sdfksdfklasjdfkaj;sdfksdfklasjdfkaj;sdfksdfklasjdfkaj;sdfksdfklasjdfkaj;sdfk

sdfklasjdfkaj;sdfksdfklasjdfkaj;sdfk
sdfklasjdfkaj;sdfk
sdfklasjdfkaj;sdfk
sdfklasjdfkaj;sdfk

sdfklasjdfkaj;sdfksdfklasjdfkaj;sdfksdfklasjdfkaj;sdfksdfklasjdfkaj;sdfk

sdfklasjdfkaj;sdfksdfklasjdfkaj;sdfksdfklasjdfkaj;sdfk
sdfklasjdfkaj;sdfk
sdfklasjdfkaj;sdfk
sdfklasjdfkaj;sdfk
sdfklasjdfkaj;sdfk