HACKING DATA 11/11

Latest News From IT Security World
By Schuyler Dorsey, eLearnSecurity i ID Theft Protect
As usual specialists from companies eLearn Security and ID Theft protect will share with us latest news from IT
security world. Read it to up-date yourself.

Secure Log Server With Rsyslog
By Leonardo Neves Bernardo
This article will discuss how to create a secure syslog server using rsyslog. It is covered how to protect syslog messages with Transport Layer Switching (TLS). Some advanced rsyslog configurations will be covered. Logs are one of the most important security assets inside IT environments. Without logs it’s almost impossible to follow audit trails. There are a lot of types of logs and some types are very different from others. Sometimes the sources of logs are different, for example from a Unix system, windows system or network appliance. Sometimes logs are generated from operating systems and sometimes are generated by applications, moreover, you can generate your own personal log message.

Block Urchin Injection Attacks
By Rebecca Wynn
This article will take you through fingerprinting recent SQL Injection/Cross-Site Scripting (XSS) attacks (injecting malicious scripts into web pages and databases by an attacker) on web servers and how to use Microsoft Internet Information Services (IIS) Manager or the web.config file directly as a firewall and intrusion prevention system (IPS). It will also show you additional security coding techniques. You will learn: Jjghui & Nbnjki injection scripts, how to use Microsoft IIS 7 for SQL Injection Filtering and SQL Injection prevention.

iOS Insecurities
By Joseph Peloquin
This article will delve into some of the primary threats facing users of iOS devices, but rest assured, there is much more to learn than what is presented here. It is the author’s goal to create awareness, and steer readers just getting interested in mobile security in the right direction. Self-learning is a critical skill for mobile security practitioners, due in part to a lack of detailed information and because the amount of incomplete and misinformation available is extraordinary. The debate over whether Apple iOS or Google Android security is better may turn out to be eternal, with no clear winner ever decided. Just when it seemed iOS may finally be able to claim an edge, due primarily to the completely broken approach of the Android Market, iOS clobbers itself with the release of iCloud. It is too early to discuss the security, or insecurity, of iCloud, but rest assured that research is underway to uncover both potential attack vectors and possible mitigating controls of this great consumer-targeted feature that doubles as arguably one of the biggest potential threats facing enterprises and consumers alike as iOS 5 is adopted.

Security Recommendations for Virtual Infrastructure VMware ESX 4
By Eng. Alberto Aragón Alvarez
Virtual Platforms have reached a stable reliability; allowing worldwide Datacenters to take advantage of this technology to deploy their servers and optimize the use of hardware resources. As with every technology, it has security vulnerabilities that can jeopardize the services installed over this platform. The security issues on VMware ESX 4 is a very wide topic, here you will find some important recommendations to accomplish a moderate level of security.

Building a Robust Web Application Security Plan
By Narainder Chandwani
A compromised website can result in bad public relations, media glare and loss of consumer confidence. Internally accessible HR portals contain sensitive personally identifiable information (PII) information such as social security numbers, identification data, salaries and other information that could help identify employees or allow a rogue employee or contractor to steal corporate secrets. A compromised website can result in bad public relations, media glare and loss of consumer confidence. Internally accessible HR portals contain sensitive personally identifiable information (PII) information such as social security numbers, identification data, salaries and other information that could help identify employees or allow a rogue employee or contractor to steal corporate secrets. Because of the increasing threat posed by web applications, authorities and government have intervened to provide guidelines and compliance standards. It has become more important than ever for companies to have a robust web application penetration testing (WAPT) process, guidelines and methodology in order to protect them from cybercrime and to meet compliance requirements. These requirements are often industry specific.

Best Practices in UNIX Access Control with SUDO
By Leonardo Neves Bernardo
This article will discuss about security related issues at sudo environments. Will be evaluated advantages and disadvantages of to centralize sudo with LDAP back-end. Another issue summarized in this article is about taking care with content of sudo registers. In the early days of UNIX, there were only two kinds of users: administrators and common users. Until now, this structure remained in the same model. Nevertheless, in our day by day activity, it is very common to meet some situations where it is necessary to delegate some responsibilities to operational groups and the others, who are not administrators nor common users. Some administrators do some insecure techniques like: sharing of root passwords, creation of users with uid 0, changes in file permission, and so on. These techniques are a solution for the immediate problem, but don’t follow least privilege principle.

HTTPS Everywhere
By Mervyn Heng
HTTPS Everywhere is a Firefox extension that was developed and is maintained by the Electronic Frontier Foundation (EFF). It was first released in June 2010 and is not available from Mozilla but can be downloaded from EFF’s site (https://www.eff.org/files/https-everywhere-latest.xpi).

A View from the Front Line: Hackers, Mass Unrest and the Financial Sector
By Drake
This month, Drake interviewed the security manager of a leading international financial sector business. To preserve his anonymity, we’ll refer to him as “Dr. X”. Find out what he said!