• Follow us on Twitter
  • Subscribe to our RSS Feed
  • Search Site

  • Home
  • About
  • Contact

You are here: Jorge Orchilles / 2011 / March

Archive for month: March, 2011

Blackhat Europe 2011 Recap

Permalink
19 Mar 2011 / 0 Comments / in Security/by Jorge Orchilles

Blackhat Europe 2011 just wrapped up. If you weren’t able to make it (like me) then we must rely on the community to fill us in on what went down until Blackhat.com puts up the archives. I would like to share the write ups I found most useful:

  • Corelan.be Day 1
  • Rootshell.be Day 1
  • Corelan.be Day 2
  • Rootshell.be Day 2

I hope to make Blackhat and Defcon in the US this year. Let me know if you plan to as well.

Till next time,

Jorge Orchilles

Cross Platform Password Management

Permalink
17 Mar 2011 / 0 Comments / in IT, Security/by Jorge Orchilles

Every information security professional will tell you to use different passwords for every site. This is because if one site gets compromised and your password is cracked then the attacker can log into every site you use. The biggest complaint consumers have with using different passwords is remembering them all; now you don’t have to. Reading 59 Open Source Tools That Can Replace Popular Comercial Software, they suggest three Password Management solutions. Only one of these suggestions will work across different platforms (operating systems). If you are unfamiliar with password management please review the basics of password management. We will be discussing the desktop solution. I am not focusing on hosted/web solutions like LastPass as I do not trust a single site with all my passwords however here is a great write up by Steve Gibson as to why you should trust LastPass.

This post will focus on using a password management system across multiple operating systems: Windows, Mac OS X, and Linux. I will be using KeePassX for password management and DropBox for syncing across multiple devices. If you only use Windows you can use KeePass or Password Safe with DropBox, the process is similar.

First, create a DropBox account (free for 2GB), and install the application on your computers. They have support for Windows, Mac OS X, Linux, and smart phones.  Make sure to note where you placed the DropBox folder. Inside the DropBox folder, create another folder and call it “Safe” or whatever you want for your password file.

Next download KeePassX for the operating system being used. Extract the directory to your Applications directory. On Windows this is most likely C:\Program Files\KeePassX. Open KeePassX and select File-New. You will be creating the new database file. You can select to use a master password and/or a key file. I suggest always using a master password that is a very complex password (or phrase) that you do not use ANYWHERE else. Retype the password when prompted. Now before adding anything to the file, select Save. Choose the folder within the DropBox folder you created.

The basic setup is complete, now repeat the step on all your systems. Ensure you can open the KeePassX file on all your systems. You can only write to the file on one system at a time, so if you try to open the file that is already open it will prompt you to open as read only.

Once all your systems have Dropbox and KeePassX installed you are ready to start filling the database. Take this time to change your passwords on all your sites and ensuring you are using unique passwords on each web site.

Till next time,
Jorge Orchilles

Internet Explorer 9 Released

Permalink
16 Mar 2011 / 0 Comments / in IT/by Jorge Orchilles

I hope no one is still running Internet Explorer 6; if you are Microsoft has a countdown and awareness campaign to get you and your grandmother to upgrade. For those that are fairly up to date, be informed you are not because Microsoft released Internet Explorer 9 today. If you are feeling risky and are running Windows Vista or Windows 7 you can download Internet Explorer 9 from Microsoft’s official download site (not the millions of Google results for it’s download location). There are issues with certain sites so ensure you test this before deploying in production:

Microsoft also set up a domain dedicated to the new browser: www.beautyoftheweb.com. Unfortunately, that site isn’t hosted under the microsoft.com domain, nor does it have an SSL certificate to confirm that it belongs to Microsoft. Using this site to distribute the browser goes against the advice of downloading software only from known vendor websites. Copycat malicious sites claiming to distribute IE 9 will probably appear shortly, if they aren’t around yet.

Internet Explorer 9 includes a number of security improvements that make the upgrade worth your consideration. These include application reputation capabilities that are part of the SmartScreen feature thathelps protect the user against socially-engineered malware. The browser also supports the notion of Pinned Sites, which implements “secure launch” capabilities to safeguard users’ sessions with important websites. Internet Explorer 9 also improves its resistance to exploits by embracing support for DEP/NX, ASLR and SafeSEH memory protection capabilities. The new browser also improves the messages its users see when they download files and programs; the messages are designed to make it easier for the users to assess the risk of opening such files.


 

Till next time,

Jorge Orchilles

 

Making Twitter More Secure: HTTPS

Permalink
15 Mar 2011 / 0 Comments / in Security/by Jorge Orchilles

It seems the information security industry has finally convinced Twitter to enable HTTPS and provide an option to have it enabled always. Tools like FireSheep and multiple research has been pushing companies to force HTTPS all the time. Make sure to enable this especially fi you frequent public networks. Twitter has posted this blog post with instructions:

Today, we’re taking an important step to make it easier to manage the security of your Twitter experience – we are adding a user setting that lets you always use HTTPS when accessing Twitter.com. Using HTTPS for your favorite Internet services is particularly important when using them over unsecured WiFi connections.

For some time, users have been able to use Twitter via HTTPS by going tohttps://twitter.com. We’ve made it simpler for users to do this by adding the option to always use HTTPS.

To turn on HTTPS, go to your settings and check the box next to “Always use HTTPS,” which is at the bottom of the page. This will improve the security of your account and better protect your information if you’re using Twitter over an unsecured Internet connection, like a public WiFi network, where someone may be able to eavesdrop on your site activity. In the future, we hope to make HTTPS the default setting.

For sites that do not allow this option you can use the Firefox extension ForceTLS.

Page 1 of 212

Categories

  • IT
  • Mobile
  • Security
  • Videos
  • WP8

Latest Videos

  • BackTrack 4 R2 – Technical Workshop for South Florida ISSAFebruary 21, 2011, 10:52 pm
  • Virtual Machine Escape by NSA (video)February 16, 2011, 5:06 pm
  • Windows 7 Security VideoSeptember 21, 2009, 9:35 pm
Popular
  • Windows 7 and VMWare vSphere Client 4July 30, 2009, 5:03 am
  • SSL Renegotiation Denial of ServiceMarch 13, 2011, 9:40 am
  • BackTrack 4 R2 – Technical Workshop for South Florida...February 21, 2011, 10:52 pm
  • Windows 7 Security VideoSeptember 21, 2009, 9:35 pm
Recent
  • Missing Security Features in Windows Phone 8January 7, 2014, 11:14 am
  • WP8 App Security – Part 5 Capturing HTTP and HTTPS TrafficJanuary 3, 2014, 9:08 am
  • WP8 App Security – Part 4 Information GatheringJanuary 2, 2014, 12:34 pm
  • WP8 App Security – Part 3 XAP FileDecember 31, 2013, 11:29 am
Comments
  • […] testing a mobile app, a tester often wants to...January 3, 9:08 am by Jorge Orchilles | Missing Security Features in Windows Phone 8
  • […] three posts in this series were an introduction...December 31, 11:29 am by Jorge Orchilles | WP8 App Security – Part 4 Information Gathering
  • […] first three posts in this series were an introduction...December 30, 5:19 pm by Jorge Orchilles | WP8 App Security – Part 4 Information Gathering
  • […] first three posts in this series were an introduction...December 30, 2:52 pm by Jorge Orchilles | WP8 App Security – Part 4 Information Gathering
Tags
2008 3479 Action Center Apple AppLocker AT&T BackTrack BitLocker Blackhat Browser Chrome Denial of Service Emerging Threats Facebook Firefox HTTPS IE 8 IE9 Internet Explorer Keynote Management Microsoft Nessus nmap Passwords Penetration Testing Presentation Privacy R2 Security Service Pack 1 SP1 SSL SSL Renegotiation Talks U-Verse UAC Video Virtualization Vulnerability Assessment Windows 7 Windows Phone 8 Windows Server WP8 XP Mode

Archives

  • January 2014
  • December 2013
  • November 2013
  • August 2011
  • April 2011
  • March 2011
  • February 2011
  • October 2010
  • September 2010
  • August 2010
  • April 2010
  • March 2010
  • January 2010
  • November 2009
  • October 2009
  • September 2009
  • August 2009
  • July 2009
  • February 2009
739Follower

Search

© Copyright - Jorge Orchilles - Design by: hellodmcs
  • scroll to top
  • Follow us on Twitter
  • Subscribe to our RSS Feed