Appolgies for not writting in a while. I hope to make it up to you with this post and future posts with, hopefully, much less than 5 months between. Found a great little app for iPhone/iTouch that gives us home users multi-factor authentication with a cryptographically strong OTP (one time password). Many of us have a similar device to log onto our corporate networks. I have an RSA token from work that spits a new six digit one time code. The OTP adds an additional layer of security when logging onto to a site on the net and makes brute force attacks impossible. We discussed OTP in the post about Steve’s PPP  authentication system.

This cute little app is offered by VIP (Verisign Identity Protection) and is a free download for your IPhone or Ipod touch. The app works with a bunch of popular sites including Ebay, Geico, PayPal and Merrill Lynch, amongst others. Most are financial sites and would be a high profile target for hackers. Would be nice if Bank Of America was there. When you download the app you will need to use a cell phone to activate it, which is quick and easy. Then you will need to register with those sites that you want to use the app. I registered with Paypal which required the credential ID found in the VIP app. When I now use the Paypal site, I log in just like I used to with my static password (something I know) and I’m then prompted for my OTP password (something I have) that is shown on my Itouch screen during that 30 second interval in time.

As always it’s good idea to have your Iphone/Itouch locked with a password in case you lose your device, and if you the VIP password app all the more so. Yeah someone trying to gain access to your site would need your static password only you know , but it’s all about layers in security and how paranoid you want to be. Overall this is a great little app that adds industrial level authentication for us non corporate users, hopefully we’ll see more companies where this form of authentication can be used.

Given the increased shift from packaged software to cloud computing, a growing number of applications are web-based. Both the business models of software-as-a-service, as well as the real-time distribution modelmake Web Apps the ideal platform for new projects. While web distribution has a number of upsides, in order to effectively scale applications,it’s crucial to implement best practices to safeguard data. Any database or code that remains in a cloud is potentially vulnerable to attack. We consulted with leading web application security specialists for their top security tips:

• Understand the Potential Sources of Vulnerability
Many developers assume that all attacks will come from outside of a network firewall, but this leaves open a potential attack from inside. Make sure that all data is guarded from unauthorized access by several layers of security,ensuring that lower-level employees, and others who might work in the office,do not have access to valuable code data. Internal attacks can come in any forms, all of which can be avoided by working to secure all levels of the application.

• Utilize Multiple Layers of Security for Your Application.
Often times, IT professionals will rely solely upon an external firewall in order to protect a web application. In order to truly get a high level of security,however, one must cover all the bases. In practice, this means having an effective network virus scanner that operates in real time as well as a comprehensive network traffic tool to keep up with data movement across the network and potential breaches.

• Integrate Security Concerns Into Your Development Cycle
When planning out the stages of development,whether you work on an agile process or a standard model, you’ll need to consider the security implications of each part of your application. Starting from the earliest conversations about requirements and design all the way to the final testing phase,security concerns should be at the forefront of your thought process from the very beginning. In particular, security testing should be as important as usability testing.

• Be aware of the security implications of your coding conventions
Even simple coding conventions such as file locations can have large implications in terms of the security of a given file. While you attempt to create a stable code base by integrating standard practices such as basic password protection,make sure that you block all routes to sensitive files,not just standard ones.

• Test for major, known sources of hacking
While there will always be unknown vulnerabilities that will require major testing and upgrades, you should always protect against the well-know, major holes that often arise in web applications,In particular,design your application to withstand SQL injections, remote code calls, format string weaknesses as well as XSS (Cross Site Scripting.)

This post was written by Maya Richard, who primarily writes about high speed internet deals . She can be reached with feedback by combining her name and gmail.com

Wrote a guest post about “301 redirects“  on my buddy, Shimon Sandler’s blog.   Shimon is very well known in the SEO community and his blog has 1000+ subscribers.  It is a great resource.

Thanks, Shimon, for giving me the opportunity share a post with your readers.

I read a nice post on “Securitycatalyst.com” that made me stop and think. We really need to appreciate the here and now. Sometimes I’ll look at my kids; they understand what it means to live life in the present moment. There is so much going on in our heads, so many thoughts. Do you ever stop to reboot? Clean out the cache? I like to sit quietly sometimes and just follow my breath; if a thought comes in I let it pass gently. This little meditation can be very relaxing. I’m a firm believer that this type of practice on a daily basis is especially essential in today’s high-tech world. As security folk, we also have to appreciate what we have. There are so many things to be grateful for. Let’s stop, think and thank on this long Labor Day weekend. Thank you Security Catalyst for the nice post.

The netstat command is a very handy command available for use on all OS’s. When invoked netstat shows the network connections made by your computer, the ports used, and the status of these connections. It will also show you what services that may open waiting for connections. This knowledge can help in ascertaining if your system is vulnerable to attack.

Nmap a is a free popular port scanning security tool , used by both good and bad hackers alike.
For someone breaking into a network, this tool is used to gather as much information about the network that is possible; mapping it out or as it’s called, fingerprint the target. On the other side, the good guys use NMAP internally to determine if there are any unauthorized services running on their network. This tool kind of levels the playing ground so to speak.

I downloaded the free tool at home and was playing around with it on my internal network. As a caveat, scan your own hosts or networks that have given permission to scan only. Unauthorized scanning of a host with the intent to breaking into may be unlawful, one should keep this in mind when using this tool..

There are two ways of scanning using NMAP; regular TCP connect scanning and stealth scanning.
Without going into the geeky details of TCP/IP, stealth scanning attempts to determine if a port is open on the target system by soliciting a SYN/ACK and not completing the 3-way handshake, then ultimately going in under the radar. However, even this type of scanning is now being logged with modern firewalls and IDS (Intrusion Detection Systems).

The TCP connect mode actually completes the 3-way handshake. The downside for a hacker would be that most servers log connections including the source IP address and the IDS may be tripped , and these are things a hacker would like to avoid while fingerprinting a network.

Here is some basic NMAP commands to get started.

TCP() connect scanning:
# nmap -sT 192.168.1.2

Syn/Stealth scan.
# nmap -sS 192.168.1.2

I wanted to share my first infosec book review on amazon I wrote back in August of ‘06.

“Defend I.T.: Security by Example” is one of my first reads on IT security. I am currently a programmer, looking to get into the information security field.

This book has successfully turned my interest in IT security into intrigue. Each chapter is a different real life case study, with techniques used and lessons learned. Coming from a technical background, I appreciated the technical depth that the authors delve into. From the get go in Chapter 1, the authors present a tutorial on the popular scanning tool called NMAP which is fascinating. The network diagrams throughout the book were very helpful in explaining to the reader the difficult concepts such as Distributed Denial-of-Service attack and Ingress and Egress filtering.

“Defend I.T.: Security by Example” introduced me to many new concepts including IDS, INGRESS, EGRESS, DMZ, SSO, ZOMBIE,FIREWALL’s, VPN’s, PKI, and DOS attacks, just to name a few. Overall, this book is very informative and well-written.

I highly recommend this book as a great addition to your IT Security library.

Wow this is exciting !!!! I recently got my google reader all set up with a bunch of different feeds from bloggers and news ect. On a whim I decided start my own blog. I feel like writing in a blog can help my writing skills and help me express my thoughts and ideas, at the same time provide others with information that I hope will be informative. I’m totally intrigued by the information security world and hope to some day work in the field. To be proactive I started studying for the CISSP. I hope to share some of the things I learned that I find interesting. Please post your comments.