Attack Surface Analyzer

Similar Questions

• Satellite A100-049: programs keep saying that I have no rights

  I am the only user on this laptop A100-049, using Windows Vista.
  Some programs who want to write files in the root or in the directory program files and if I want to delete some files that I created, all of a sudden tell me I can't do this, because I don't have sufficient rights to do so.

  I was under the impression that as the only user, I was automatically in the administrator group, that i keep reading gives me all rights to the files.
  This doesn't seem to be the case for me, can anyone help please. I found by trial and error that if I go into the properties of files and select the Security tab, then select "Remove properties and personal information", then I can delete files, but I have to do for each file.
  Thank you very much in advance for any response.

  I think that happens because of the new Vista feature called UAC (user account control)

  Microsoft provides this info on UAC:
  The main goal of user account control is to reduce the exposure and attack surface of the operating system by requiring that all users run in standard user mode. This limitation minimizes the ability for users to make changes that could destabilize their computers or inadvertently expose the network to viruses through undetected malicious software that infected his computer.
  User account control, COMPUTER administrators can run most applications, components and processes with a limited privilege, but have "elevation potential" for specific administrative tasks and functions of the application.

  http://TechNet.Microsoft.com/en-us/windowsvista/aa906021.aspx

  On this page of Microsoft, you can find useful information, how to handle this user account control:
  For example how to disable the Admin Approval Mode, how to mark an application to always run high, etc.
  http://technet2.Microsoft.com/windowsvista/en/library/0d75f774-8514-4c9e-AC08-4c21f5c6c2d91033.mspx?mfr=true

  If you want you can completely disable this feature!
  Google a bit and you should find useful sources ;)

• My computer is connected to multiple networks which is better?

  If so how?, couldn't notice anything different.
  as you can see in the attached image described, I am currently connected to the internet through ethernet also with my iphone, and I can also connect a wireless usb card and get another network

  Not usually, it will not normally make a difference for you.  Only the 'best' current connection will be used to load a Web site for example, if you get no increase in speed.  In addition, it opens your attack surface for piracy, so I recommend against it and simply use the connections that you need.

• Mini Data Center design

  Hello

  I have a few doubts about the best solution for the design of a mini data center.

  In the data center, there is a 6500 with FWSM module installed, there are a few created vlans, each of them in the fwsm module. For example, a back-end to communicate with a server in the front end server must always go through the firewall. My question is, these flows through the firewall that does not reduce the speed of communication?

  What is the best practice, just to pass the communications with the Wan in the firewall, and the communication of vlan between front-end and back-end is only set up to 6500?

  Thank you

  Although security is a subject with many facets. How to fix you can do things depends on part on your needs to provide the functionality for the application to work.

  If the database servers do not need to Internet, just keep on a VLAN internal only and do not allow to be routed even initialized requests internally by. If the database servers have need to talk to the Internet (why is this really necessary would be a good question to ask - a bastion host could be used instead?), then lock the rules in the FWSM with an access list that allows only addresses and ports as necessary for the minimum necessary service work.

  In any scenario, your should analyse your servers (for example with Nessus) and harden to reduce their exposed attack surface. Additional measures could include things like Tripwire on the servers to block further down. Audit of system access - and actually looking at the newspapers! -also helps. Tools such as iptables on Linux or Windows Firewall servers must be a lever to allow only the communications in and out of the box as necessary so that it can perform its designated function.

• Unable to SSH

  We configure the NLB (active/active) on two of the ASA.  After connecting to the Cisco VPN client, we can just SSH to the ASA that connect us to and we can't SSH to the other ASA.  For example, if we connect to ASA1, we can just SSH to ASA1 and we can't SSH to ASA2.  The same is true if we connect with the ASA2, we can only SSH with the ASA2 and we can't SSH to ASA1.  Is it possible to put in place so that we can SSH to any ASA regardless of what ASA that connect us to?

  SSH 0.0.0.0 0.0.0.0 inside
  SSH timeout 5
  SSH version 2

  inside access management

  Thank you.

  Diane

  Diane,

  The difference, you see, is that the ASA is a firewall first and a second VPN product.  Concentrators VPN just makes VPN and not worry about routing, switching, or firewalls.  According to estimates to many people this is not a good thing, because increased the attack surface of the ASA.  However, Cisco has allowed ASA management, you are doing a reverse tunnel hairpin hair Management ASA. It adapts well to the other ASA and wasn't really intend to do.  From a security point of view, the best solution is a management server.

  To configure the administration server, you just need a Windows/Linux/Apple (whatever you are comfortable with) machine, configured to allow remote sessions.  You can do it in the platform Windows with VNC or remote desktop, if you use Linux or Apple, both have solutions.  Once you have your platform, just install one of the PuTTY Terminal emulator or SecureCRT and you will have access to your systems.  If you use the SMDA to configure your ASA you just need a supported web browser on the management server, and then open a connection to your ASAs.

  Doing this method gives you the following:

  1.) limited access because people will need to have an account on the management server to access administration tools.

  2.) accountability since your event opens a session on the administration server will show who logged in and when.  You can even go so far as to controls being installed on what a person can access.

  3.) limits surface of piracy.  Once you have configured your management workstation, configure an ACL on your ASAs that limit any SSH, HTTPS, etc. connection to the management station.  With that done, you have to worry only who has access to this workstation.

  I hope this helps.  I didn't want to flood you, but wanted to give you the reason behind going in this direction over the method used by the VPN concentrators.  Let me know if you have any other questions.

• Flash Player 17.0.0.188 does not work in Citrix in virtual environment

  Hello Forum,

  I support analyst for a company that uses Flash as a basic application to.

  Flash 17.0.0.188 is installed on an image in the Citrix environment that uses the redirection.

  Flash 16.x player works fine, but when upgrade us to 17.0.0.188 the *.sol file are not written in/Appdata/roaming... directory.

  There are some security flaws there are issue in version 17.0.0.188 and I wonder if upgrading security in the 17.0.0.188 version is causing these files is not to be written.

  Citrix Xenapp 6.5 environment image, = Windows 7, AD authentication user has read/write rights.

  Any help would be greatly appreciated.

  Flash Player cannot write or read local shared objects in the directory of the user redirected because ban us junctions crossing (flexible connections for non-Microsoft people) in the broker process.  This behavior has been disabled to address a vulnerability identified in some of the research of John Forshaw, in the broker of EI, earlier in the year.

  If you don't want to change your infrastructure, you can enable this behavior by adding the following parameter to mms.cfg:

  EnableInsecureJunctionBehavior = 1

  That said, you can put together probably in the name of the indicator that we don't really recommend this approach and disable this default attack surface.  There is a risk that an attacker on the network could create content that abuses of the fundamental issues with how Windows manages the junction Points to write to arbitrary locations.

  More information about Junction Points can be found here:

  https://support.Microsoft.com/en-us/KB/205524

  Junction Points (Windows)

  If you are going to live with this attack surface, it is probably worth your time to look at the James Forshaw talk on IE sandbox sand escapes, which have brought these changes:

  Dig for IE11 Sandbox escapes part 1 - YouTube

  Re: Need help Urgent: version Flash Player 17 (last updated) cannot write to change Data

• xenapp 6.5 W2008 R2 SP1 - flashplayer IE 9 17.0.0.188 appCitrix

  Hello, (I apologyze for my poor English)

  Since this update, it seems that Flash Player 17.0.0.188 and 18.0.0.160 do not work with redirected appdata folder.

  for example:

  If I directed my appdata folder of like \\domain.name\username\appdata then a few feature does not work

  But if I change the folder appdata local C:\users\username\appdata\roaming feature works!

  We do not use hdx mediastream

  is this a problem as microsoft or Adobe update?

  Thanks for any help.

  Flash Player does not cross a Point of junction of Windows to get to redirect the user's home directory, due to Junction Points can potentially be abused by hackers to generate the arbitrary file writing.  The workaround that you identified is probably the best option.

  You * can * choose to live with this attack surface and to restore the previous behavior, and insecurity; However, we do not recommend, and this behavior is disabled by default for all users.

  To revert the insecure behavior, add the following to your mms.cfg:

  EnableInsecureJunctionBehavior = 1

  If you decide to go this route, you can check to talk about James Forshaw on IE sandbox escapes so that you fully understand the implications of this decision before deployment.

  Dig for IE11 Sandbox escapes part 1 - YouTube

• How to close TCP 443 and 902?  (WS 9.0.1 on the Linux host)

  When it is hosted on Linux (Ubuntu 12.04), VMware Workstation 9.0.1 listens on ports TCP 443 and 902 on all network (0.0.0.0) interfaces.  This happens as soon as the host operating system is finished booting, even if you do not launch the VMware GUI or run the virtual computer guests.

  This creates a potential attack surface, on a machine that can be used on hostile networks and normally has no open TCP ports listening.

  These two headphones can safely be stopped?

  Or can reconfigure us these headphones link only to the loopback address (127.0.0.1)?

  Of course, we could solve this problem by activating the Linux Firewall on the host computer, but this seems to be using a sledgehammer to crack a nut!  There is no reason for VMware Workstation business link to nothing else than the loopback address, so it would be easier if there was a change for VMware startup scripts to solve the problem at the source.

  Thanks for the pointers!

  -Martin.

  VMware-authdlau 1419 root 8u IPv4 12139 0 t 0 TCP *: 902 (LISTEN)

  spend-worker 1732 root 27u IPv4 8818 0 t 0 TCP *: https (LISTEN)

  spend-worker 1732 root 32u IPv4 8822 0 t 0 TCP localhost:8307 (LISTEN)

  I did not, but if you do not use the shared virtual machine so I see no harm to comment on the entries above.  It wouldn't break anything permanently and you can certainly easily Uncomment if/when necessary.

• Securities and vulnerabilities

  Hi all

  11g

  We have an environment very highly confidential.

  "BA" (East - this means company audit?)  Design Checker run a tool that will display of security vulnerabilities in our systems.

  One of the outputs listed is "http". The listener suggested to disable or refuse services http because it is hackable? Is this true?

  If http is not allowed, what will happen to our (EM) dbconsole, database vault and our ASO - TDE (advance security option: transparent data encryption)?

  Are there ways to manage or run in CLI? You can share your implementation of security on these tools?

  Thank you very much

  zxy

  HTTPS means that the data that is sent is encrypted.  However, it is quite unlikely that the listener is concerned about someone sniffing the SEM HTTP traffic.  It is much more likely that the listener is concerned with the attack surface of the machine.  All service is potentially vulnerable to attack, so maintaining the number of services that run on a machine with a minimum of means that there are fewer services than an attacker can compromise.  If it uses HTTP or HTTPS, a web server will be potentially vulnerable to attack and will be one more element that needs to be patched and managed from a safety perspective.

  Justin

• Pixel Bender - slow performance and hell for existing users.

  Hello team Adobe,

  As Introudce AGAL and Stage3D Adobe - Pixel Bender every time show poor performance. My friend asked me - why. There app Pixel Bender based for distortion of the image and the last Flash Player with slow PB book. Exactly - the road to hell. During the audit of this issue, I found that all my pixel bender app show also the poor performance. Buch was earlier. Half or year ago.

  Will be no longer supported this fixed or Pixel Bender?

  Unfortunately, it was necessary from a security point of view.  We have seen a number of documents on Just-In-Time compilers come out to the other products that we concluded last year were relevant to the JIT PixelBender.  Rather than wait until an emergency situation to do something, we have chosen to take measures to ensure that your customers and other end-users are protected.

  We conducted a thorough analysis and concluded that mitigation measures needed to defend themselves against this emerging class of attacks would affect performance nearly as evil as disable the JIT, while possible attack surface.  We have also determined that the chemistry and Stage3D are not vulnerable to these classes of attack, that is why we are recommending the migration of your content to take advantage of them.

  While we would have really liked before communicating changes, we inherently describe the attack vector potental publicly without a delivery solution.  We experimented with communication of security changes in the past and attacks on these features were quickly developed and deployed by bad actors.

  Backward compatibility is always a main technical objective, but the fact is that in the face of the Internet threat landscape has changed considerably over the last decade, and adapting to it frequently requires to choose among a number of terrible options.  While we understand that it is extremely annoying for developers using PixelBender JIT for the performance, we strongly believe that it was the best of the available options.

• Runtime Environment only APEX increases performance?

  Hello
  
  Does anyone know if a the APEX runtime environment increases performance over a full access to developer environment? I read everywhere it increases security but is nowhere specified whether it increases performance.
  
  From my point of view, its nonesense to store all the activity information that are shown via internal or the development of accounts when you're not using it anywhere. Do you know if the development team has thought of this option?
  
  Thank you

  Hello

  There will be no difference in performance. A runtime environment only removes just all packets are not used to reduce the possible attack surface.

  On the activity log. There may be not a user interface to see them, but you can query the APEX_WORKSPACE_ACTIVITY_LOG Dictionary view and display them in your own admin applications. Or use the automatic batch display to notify you automatically if the response time of page for pages is unacceptable slow...

  But basically it's you if you want to save this information. Fair value the application "Logging" attribute and the application no longer to record this statistic.

  Concerning
  Patrick
  -----------
  My Blog: http://www.inside-oracle-apex.com
  APEX Plug-Ins: http://apex.oracle.com/plugins
  Twitter: http://www.twitter.com/patrickwolf

• VLAN on a Cisco 3750 G

  A VLAN is created on a Cisco 3750 G with the last IOS a 'good' way to secure a vmware network?  In this case, I'm hiding vmotion traffic, and the entire network is behind a firewall.  I realize, it would be better to have dedicated and isolated switch, but it's a VLAN on a reliable and secure Cisco switch? Or safety lies elsewhere, for example, encrypt the vmotion traffic or ACL solid?

  Sly-

  I think you got it nailed in your post there are some things you need to do when using VLANs to avoid trouble. The vulnerability referred to as Tom has to do with IOS/CatOS decoding of the VTP frames - just like we see in the Windows RPC/NetbIOS or SMB/CIFS vulnerabilities or other remotely exploitable vulnerabilities, it is possible to design a framework with malicious content that could overflow a buffer, string handling (uncommitted entry), double - frees, etc.. This type of vulns found often by "fuzzing" where you create bad images or images partially wrong and feed them in the unit under test, in the hope of finding an accident or create a denial of service. I remember simple tools like CITI (IP Stack Integrity Checker) to validate the equipment running and occasionally would cause you a switch to plant, especially the more IOS. So it is not limited to any control plane protocols such as VTP, this can also happen in the data plan. The data plan is much more robust because it is attack surface area is much more exposed to attacks that the protocols as VTP and a large number of problems have been corrected. If you look back in history, there are tons of questions of security in the Cisco data plan and other gear in less used features as options of ownership intellectual, management, the fragment of the types and codes rarely used ICMP, TCP sequence overflows. Now, I bet that if the security research community concentrated early protocols such as CDP, VTP and STP - you would have seen several vulnerabilities earlier.

  So to say "don't use VLANs otherwise, you are vulnerable due to a VTP vulnerability" is equivalent to say do not run IP using Cisco routers/switches when both IP and ICMP vulnerabilities exist in the data plan.

  Now, if you had followed that Cisco and other L2 switches providers recommend, you could be not to expose your VTP domain for such attacks and therefore, you are not vulnerable. Just as you would not expose your switches to receive Spanning Tree BPDU or dynamic routing of packets of protocol like OSPF, ISIS, or BGP of unapproved of speakers. Take a look at a blog I posted w/r/t this topic:

  http://blogs.VMware.com/Networking/2009/06/lets-talk-security-DMZs-VLANs-and-L2-attacks.html

  There is a lot of fear in the community about the attacks of L2, because networks and network devices are often a mystery to people server and a bad configuration L2 could be a source of security and stability problems. It is important to educate the community on the possible exposures, and VMware and other leaders of the market as Cisco take the responsibility to do.

  Disclosure on my part - I'm talking to and had operational experience of implementation and now one of the largest networks of data center global worldwide (Global Crossing/GlobalCenter-> later became the exodus-> Savvis) as one of network engineers senior and even 10 years back we would have data center with massive switch of the fabric that the guests accommodated like Yahoo , Ask Jeeves, etc. - isolated and segmented using VLANS. If you go in a large data center hosted today, you certainly would not get your own physical switch and backbone uplink - you would like to share a 6500, a foundry for 100 + often other customers or the great extreme.

• How not one disables the built-in web server?

  In my case Adobe technology enabled web server integrated for some sort of test and left, that it has.  I would like once more to turn it off to limit the attack surface that I see it's getting some visits by an internal network vulnerability scanner.

  Where is the configuration file and setting specific to only disable the built-in web server?

  Unwanted changes to the built-in web server is referenced in this article in the forum: http://forums.Adobe.com/message/4388179

  Add Miguel-F information, in case you use ColdFusion 9 then, adding only the code below, in the section above will be used.

  true

• log Analyzer?

  I have installed server for fun and learning.

  This year, he was attacked several times.

  The problem is that I don't spend much time to check the logs, take a long time before I realized it.

  Is there a Log Analyzer or something that alert when there is a problem as an IP attempts a password for several hours?

  As far as I KNOW, there is no built-in log reduction and analysis within the OS X Server tools.   There are additional log analysis tools.

  If OS X Server it has some features of firewall in this area through pfctl(8).

  Botnets easy to circumvent the usual types of reactive treatment, however, a single test every one of a zillion hosts works as well as a bunch of a host tests and is much harder to block.   That usually means setting up an external firewall or VPN services and reducing the number of ports exposed.

  Switch back to certificates where you can and learn more about what can do for the passwords.

• Unable to access SSL Web site when company proxy use man-in-the-middle attack to scan SSL traffic

  Our company uses a proxy server that analyzes the SSL traffic on web sites. This is done via man-in-the-middle attack. The proxy generates a new certificate on the fly that it sends to the client, impersonate a secure server.
  After upgrading from Firefox 10.0, I always get error:
  Error HTTP Status: 400 Bad Request
  After the confirmation of a security exception.

  Maybe this is related to the difficulties of the attack of the BEAST bug (browser exploit against SSL/TLS)

  • bug 702111 - intolerant servers to record split of 1: n-1. "The connection was reset" (see also the comment 60)