I wrote a post about detecting rogue virtual machine a while ago. Today I am publishing my script for how to get list of mac addresses and their manufacturer. It is easy to put an if statement and make this script to detect virtual machines. This is just start, if I get some time I [...]
After running several projects I observe very interesting things about the management of the security projects. Stakeholders usually have very limited focus. For example if there is a project about network security, they don’t think how to implement some part of the projects into say an application security project. Moreover stakeholders usually have lack of [...]
There is no doubt that the most popular post I have written so far is How FF store your passwords? Is it secure? I believe the reason is there was not enough documentation 3 years ago about Firefox’s security mechanisms. At that time I couldn’t find something simple that can read/edit sqlite databases. Now I [...]
Cyber world is a dangerous place. Governments, and private industries become more and more aware of this danger in every single day. What about the citizen Joe and citizen Anna? Are they aware of the cyber threats? Do they know how cyber threats can take all of their hard earned money they put into banking [...]
Well, time to be honest with ourselves dear security community. Even if we have firewalls, IDSs, IPSs, antiviruses, SIEMs etc our systems are not secure and will not be secure since there is no such thing as security. I know some of you are now became angry and thinking cross arguments but seriously think about [...]
One of the great things about Mac OSX is that it is based on Unix. One of the greatest thing in Unix is its terminal. However in my new mac I see that I need to re-type every command even I have just typed before… Usually you expect your command to be stored in .bash_history [...]
Security techniques are getting better and better. Account recovery is one of the example of this. Before we have people to answer their security questions (that might be well known for other people) and give their password: How To Hack A Celebrity: Miley Cyrus Is An Idiot Edition If you set up your second e-mail [...]
In my previous PCI blog post we discussed risk level of vulnerabilities for PCI. In this blog post I will go over wireless requirements and how to detect rogue APs. 11.1 Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis. Note: Methods that may be used [...]
We have lots of password to remember : workstation, servers, banks, forums, mails etc… This makes forgetting passwords easier. Today I would like to mention how to remove reset admin password on windows. I am going to use chntpw. chntpw is a Linux utility to (re)set the password of any user that has a valid [...]
PCI requires you to have both external and internal vulnerability scans. We will discuss them in detail later. Today I will focus on the risk rankings that PCI uses for vulnerabilities. PCI DSS requirement 6.2: Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities. Notes: Risk rankings should be [...]
