Danny Tech Security

OWASP attempts to make videos of presentations made by there members and at there conferences concerning application security whenever possible. The slides for most of these presentations are available, linked to the conference agendas. In episode 2 it illustrates SQL Injection, discusses other injection attacks, covers basic fixes, and then recommends resources for further learning.  Here are a couple of links on how to secure your SQL server SQL Injection Prevention Cheat Sheet XSS (Cross Site Scripting) Prevention Cheat Sheet

In the Linux Distribution BackTrack 4 it has the Social Engineering Toolkit otherwise known as SET. The homepage for SET is http://www.secmaniac.com/ and there is more useful information there. I am particularly impressed by the new java applet function is SET which allow the tester to effectively test how a targeted attack may succeed. Currently SET has two main methods of attack, one is utilizing Metasploit payloads and Java-based attacks by setting up a malicious website (which you can clone whatever one you want) that ultimately delivers your payload. The second method is through file-format bugs and e-mail phishing. The second method supports your own open-mail relay, a customized sendmail open-relay, or Gmail integration to deliver your payloads through e-mail. To see this operation in action Click Here . If you want to install it on your own machine then there will be a tutorial on how to set this up on Saturday.

Let's say you have limited access at a work place and manager wants if a user has access for something that they requested and you don't have the proper access to check. Today I will show you how to check access on limited access. The way that this example is setup is by virtual environment from Windows 2003 Server to Windows XP. Tools Virtualbox (free edition) running in local environment rdesktop (free) vmware (trial) Windows Server 2003 Enterprise Edition (Student Version 180 days trial) running in a remote location The picture above is typical Windows Server login. It just shows that I am running server OS. Ok let's move on. We are going to check on a user on " DTSAdmin " At the command prompt type " net user DTSAdmin /domain " it will gather from the server a lot of good information as shown in the picture above. If you don't type the " /domain " syntax the computer is going to think that user name is at t...

The Problem   As you notice when upgrading to Ubuntu 10.04, Ubuntu 10.10, or using the latest BackTrack4. There is an issue with the latest kernel build of 2.6.35-35 which does not allow setting a specific channel and also it will not allow to perform packet injection in the Aircrack-ng suite.  For a solution please read the PDF. Title: Fixed Channel -1 File Name: Fixed Channel -1.pdf File Type: PDF File Size: 1.6 MB Download Now

The new kernel 2.6.35-25 has issues when wireless cards are put into monitor mode. To check the current kernel version on your system use the " uname -r " command and that would display the current kernel. For example if you use airodump-ng it would say " fixed channel mon0: -1 " like seen in the screen-shot below.   This Saturday I will show step by step to solve the " fixed channel mon0: -1 ". Why is this a big issue, this affects other applications that require monitor mode such as Kismet which also means when a user want to do a packet injection the card can't provide that function. On the tutorial for this Friday I will show you how to patch this problem with a Atheros wireless card. The following Linux Distro's have 2.6.35-25 kernel Ubuntu 10.04 Ubuntu 10.10 Backtrack 4 R4 Any other Linux distro that is keep up to date. If your still using previous versions of Ubuntu or BackTrack then this does not affect you, but i...

Unfortunately hackers target small sites more than they do larger ones and for good reason: Smaller sites are usually not really secured like corporate sites are. Smaller sites often don’t have the resources to realize they have been exploited. There are smaller sites than large ones. If your site was hacked in a malicious manner you have two options. You can sit around and think back on all the ways you should have hardened your site against attacks or you can start cleaning up the mess and get your site back on track. While intending college one instructor said that if a hacker wants your information they will get. There is no network that can be 100% secure because there is always a way to get in to a network. You just need to know how you’re going to bring your company business web site back up because time is money. Like what your reading then download the PDF.     Title: Repair a hacked web site File Name: Repair a hacked web site.pdf File Type: PDF ...

PC World has a great guide to tweaking the more advanced settings of your router for optimizing your router for VoIP and video, though the same rules can apply for any bandwidth-heavy activity like file sharing or video games. PC World also mentions a few settings we haven't touched on before, like using a DMZ, splitting your traffic between two wireless networks, wireless multimedia extensions, and wireless intelligent stream handling. All these settings basically help perform the same task and allocate more of your bandwidth to one important activity whenever they're going on, so all the other things you're doing don't suck it up and leave you with poor quality video chats. They also discuss where to find these settings on six of today's most popular routers, so even if you haven't delved into your router's settings too often, it should be easy enough to follow along. Hit the link to check out the guide. How to Optimize Your Router for VoIP...