Tag Archives: information security blog

SQLite Database Browser

There is no doubt that the most popular post I have written so far is How FF store your passwords? Is it secure?  I believe the reason is there was not enough documentation 3 years ago about Firefox’s security mechanisms. At that time I couldn’t find something simple that can read/edit sqlite databases. Now I am going to write about SQLite Database browser; a freeware, public domain, open source visual tool used to create, design and edit database files compatible with SQLite.

You can go here and download it. After you download it, go to your firefox profile directory. How can you find it? Just open a new page and type about:support You will see the path of the directory next to the Profile Folder.

There are very good information stored in the profile folder such as bookmarks, passwords, search engine data etc…

You can now open SQLite Database Browser and click the directory icon in upper left and browse the file you want to open in the profile directory. Now you can have some fun with the ff databases and get more information about how ff store information.

How To Protect Yourself From Frauds

Cyber world is a dangerous place. Governments, and private industries become more and more aware of this danger in every single day. What about the citizen Joe and citizen Anna? Are they aware of the cyber threats? Do they know  how cyber threats can take all of their hard earned money they put into banking accounts? Or somebody  who is thousands of miles away from them can impersonate them and make their friends to send money to that person? There are great variety of frauds in cyber world. Most of them are around for more than ten years. Most of them use similar techniques with old traditional fraudsters use in the physical world.

There are number of sites that has very good information about prevention of frauds. One of them is this site. Just watch the videos on the site and you will get idea of how those frauds can waste people time and make their life miserable. Just watch the video below. We will cover frauds in detail later.

 

Detecting Rogue Virtual Machines On A Network

Introduction

Today our topic is detecting rogue virtual machines. Rogue virtual machines can pose huge threat to your organization. Even with your managed machines, you might have unauthorized virtual machines. There are some ways to keep the number of rogue vm’s very low on your network such as using software policy, restricting admin accounts for those only need them etc..

What if your employees install virtual machines without your knowledge. How can you detect those virtual machines?

Detecting “evil” at rest

If you can identify all virtual machines that sits on your network, then you can compare them with the authorized virtual machines. In this way you can find rogue virtual machines.

There are two ways you can identify virtual machines. One way is checking MAC address, other is checking running process.

First way: Checking MAC address of remote system

MAC addresses are unique to each device. If you can get a mac address of a device then you can tell what company is made the device. Since virtual machines uses their virtual network adapter to connect a network and this virtual adapters are unique to each company, we can determine if mac address belong to a virtual machine company.

So how can we get mac addresses of other computers on a network?

The answer is easy. We can ping each devices on the network and then check our arp tables.

OR we can use nmap.

nmap -sP 192.168.1.1/24
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-03-17 22:35 EDT
Nmap scan report for 192.168.1.1
Host is up (0.018s latency).
MAC Address: 00:24:A1:17:44:CD (Motorola CHS)
Nmap scan report for 192.168.1.13
Host is up (0.000094s latency).
MAC Address: 00:26:BB:07:17:DD (Apple)
Nmap scan report for 192.168.1.11
Host is up (0.014s latency).
MAC Address: 00:1B:77:CD:FF:CD (Intel Corporate)
Nmap scan report for 192.168.1.13
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 5.53 seconds

As you see nmap has predefined mac database so it can convert mac addresses to manufacturer’s name.

Second way: Checking Process Names

You can get mac address of the computers that sits on the same vlan/lan with you so first option is only good for you have only one lan. Moreover some virtual adapters can be on NAT mode so you cannot see their MAC address.  (On NAT mode they use same mac address with the physical machine.)

Each virtual machine software will have running processes. For example VM Fusion has vmware-vmx as running process on OSX. So you can login each machine to see if there is a running process related with a virtual machine software.

Nessus has a plugin for checking vm ware machines  by using this technique(http://blog.tenablesecurity.com/2007/04/i_was_speaking_.html) , you can write your own plugin to find other virtual instances.

The disadvantage of this method is you need to have admin credentials.

Summary

We can find rogue virtual machines on network by comparing all virtual machines with authorized virtual machines. We can identify all vms by using mac addresses or running processes. With the first method we can only identify virtual instances on the same LAN. With the second method we need to have admin credentials for the boxes we scan.

Update: Please check here for more info http://realinfosec.com/?p=678