-
Fred Zajac commented on the post, Week 10 Update, on the site 6 years, 7 months ago
Mustafa,
I understand your concern, but hackers already use credit scores to target people and businesses. Anyone can purchase someone’s credit score for a few dollars, and FTC regulations require a rating on financials, rating from AAA to Junk.
In my opinion, the cyber score should be required for all publicly traded companies who handle…[Read more]
-
Fred Zajac commented on the post, Week 11 Update, on the site 6 years, 7 months ago
Fraser,
The thing about patch management is testing the patch to see if it is valid or even if it will hinder your system. For instance, if you are not monitoring your hard drive space and a new patch gets installed that puts your hard drive in an unhealth state, then the good update may crash the system.
Automation on these things is…[Read more]
-
Fred Zajac wrote a new post on the site MIS 5212-Advanced Penetration Testing 6 years, 8 months ago
This report covers Lighthouse AI, a startup hoping to install facial and voice recognition devices in homes. The program is similar to the access software in cellphones, but can do much more. You can set up m […]
-
Fred Zajac wrote a new post on the site MIS 5212-Advanced Penetration Testing 6 years, 8 months ago
This report identified three vulnerabilities with VPN services leaking sensitive IP Address and location information. Virtual Private Networks are used for several different reasons, but in this case it is used […]
-
Fred, really interesting article you posted. I remember last year when Internet privacy laws were scrapped and all my IT friends kept discussing VPN. What is more concerning is that the VPN services which contained vulnerabilities were the services provided by three popular VPN providers. I could expect this from a smaller provider, but not a well-known one. To me, VPN services is your focus so why are there slip ups? Also, I am sure once Internet privacy laws were removed, business must have increased. I know many of people who purchased VPN services once this change went into effect. Technology, security and privacy are huge today and I feel as if those companies should know that and not have vulnerabilities in the free Chrome-plug-in.
-
Fred,
That’s actually quite interesting because over 40% of SMBs use VPN for remote business operations. I am unsure of the severity of these transactions, but if VPNs are leaking sensitive information such as IP address and location, this possibly has a huge place to instigate another cyber threat. Attackers can easily catch hold of these IPs to demand ransom. I am sure that Private VPNs are far secured and that organizations do use advanced security systems to prevent IP leaks over the private network.
-
-
Fred Zajac commented on the post, Week 10 Update, on the site 6 years, 8 months ago
I attended a Risk Quantification Symposium last week and learned some fascinating things that are coming down the pipeline for enterprise risk.
One thing I found very interesting is the FICO Enterprise Security Score. http://www.fico.com/en/products/fico-enterprise-security-score
This is similar to a credit score everyone is familiar with,…[Read more]
-
Fred Zajac commented on the post, Week 09 – Update, on the site 6 years, 8 months ago
Matt,
Check this out…
http://www.fico.com/en/products/fico-enterprise-security-score
I wonder what these agencies “security score” is. Bad Credit.. LOL
The score is based on a few factors, but security posture and culture weighs on the number
-
Fred Zajac commented on the post, Week 5 Update, on the site 6 years, 9 months ago
Here is a link that may help everyone on assignment 2 and 3. You will be able to see more information on the left side if you follow the tree. Also, you can search previous versions of windows group policy information for a step-by-step guide. The one I like is for Windows 2000. Keep in mind, the Windows 2000 guide is like version 1 of the…[Read more]
-
Fred Zajac commented on the post, Week 4 Update, on the site 6 years, 9 months ago
Hey all,
Flash can be disabled in all popular internet browsers. Plus, you can set up office to not allow files with flash or any plug in.
To stop flash in group policy:
Search Group Policy editor –> Computer Configuration –> Administrative Templates –> Windows Components –> Internet Explorer –> Security Features –> Add On…[Read more]
-
Fred Zajac commented on the post, Progress Report for Week Ending, September 22, on the site 6 years, 9 months ago
https://forums.kali.org/showthread.php?24687-Problem-with-apt-get-update/page4
Sorry, here is the information link. Just realized I forgot to include.
-
Fred Zajac wrote a new post on the site MIS 5212-Advanced Penetration Testing 6 years, 9 months ago
I was getting the 404 with several tools when apt-get update && apt-get upgrade. This command worked.
wget -q -O – archive.kali.org/archive-key.asc | apt-key add
You can read more up on repositories on […]
-
https://forums.kali.org/showthread.php?24687-Problem-with-apt-get-update/page4
Sorry, here is the information link. Just realized I forgot to include.
-
Thanks Fred, this will definitely help!
-
Thanks for sharing. My kali from last semester works with this command:
wget -q -O – https://archive.kali.org/archive-key.asc | apt-key addI also got 52 upgrades including exploitdb for metasploit:
root@kali:~# apt-get -y upgrade
Reading package lists… Done
Building dependency tree
Reading state information… Done
Calculating upgrade… Done
The following packages will be upgraded:
bsdmainutils burpsuite cracklib-runtime dbus dbus-user-session dbus-x11
exploitdb firmware-amd-graphics firmware-atheros firmware-bnx2
firmware-bnx2x firmware-brcm80211 firmware-cavium firmware-intel-sound
firmware-intelwimax firmware-ipw2x00 firmware-ivtv firmware-iwlwifi
firmware-libertas firmware-linux firmware-linux-nonfree
firmware-misc-nonfree firmware-myricom firmware-netxen firmware-qlogic
firmware-realtek firmware-samsung firmware-siano firmware-ti-connectivity
gnome-control-center gnome-control-center-data gnome-terminal
gnome-terminal-data imagemagick imagemagick-6-common imagemagick-6.q16
libaudit-common libaudit1 libcrack2 libdbus-1-3 libicu57
libmagickcore-6.q16-3 libmagickcore-6.q16-3-extra libmagickwand-6.q16-3
libsodium18 libtiff5 metasploit-framework python-flask python-formencode
python-tornado recon-ng sysstat
52 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
-
-
Fred Zajac commented on the post, Week 3 Update, on the site 6 years, 9 months ago
Is it crazy that we still use a 9 digit plain text number to conduct authentication for our federal tax reporting system?
-
Fred Zajac commented on the post, Week 3 Update, on the site 6 years, 9 months ago
The general public is way too willing to add content to their social conglomerate that they are forfeit basic privacy.
YES!
Challenge questions that can be guess by visiting social media sites:
What is your high school mascot?
Where did you go to elementary school?
What road did you grow up on?
What is your favorite sports team?
What…[Read more] -
Fred Zajac commented on the post, Week 1 Update, on the site 6 years, 9 months ago
We are using Patch Management for our clients using a third-party product. If you are interested in the product, let me know and I will give you info.
Anyway,
One of the things you mention is patching causing issues with applications. This is something we run into from time to time from our clients. Another issue we have is patching…[Read more]
-
Fred Zajac commented on the post, Week 1 Update, on the site 6 years, 9 months ago
Satwika & Frederic,
I agree patching is a very big deal, but what if the IoT manufacture didn’t provide enough space for constant patching? Example: Hardrive limit.
The patching will crash the hard drive at some point because of the file additions. Also, as you mention in a previous post,
The manufacturer may have used a very basic…[Read more]
-
Fred Zajac commented on the post, Week 1 Update, on the site 6 years, 9 months ago
The attacker simply needs to scan the global IPv4 address space (only 4,294,967,296) for known open ports.
Check this out. Can be done is seconds!
Censys.io
-
Fred Zajac wrote a new post on the site MIS 5212-Advanced Penetration Testing 6 years, 9 months ago
Are you in the mood for love, but forgotten what love is?
Valentine’s Day is a day when people of all ages express their “love” towards people very close to them. Elementary schools are engaging in […]
-
Fred Zajac commented on the post, Week 2 Update, on the site 6 years, 9 months ago
Brock,
I would also like to see these scanners, but playing the other side of the coin…
The users of these scanners are creating the database for them. Example: As a pentester, I use Chronicle to search for vulnerabilities of a specific IPAddress. It then scan’s the IPAddress for vulnerabilities. It does or doesn’t identify…[Read more]
-
Fred Zajac commented on the post, Week 2 Update, on the site 6 years, 9 months ago
Are there any “Horror” movies about IoT devices killing people? Hummm….
-
Fred Zajac commented on the post, Week 2 Update, on the site 6 years, 9 months ago
Another online scanner you may want to check out is Censys.io. It uses Zmap and Zgrab to identify specific information about a network. It is glitchy sometimes and have to play around with how you search for mulitple IPAddresses or even a range, but it is a good and quick recon tool to identify how you may want to handle the pentest.
-
Fred Zajac commented on the post, Week 2 Update, on the site 6 years, 9 months ago
I am a fan of Nessus and OpenVAS. Nessus is free and available for Windows. You can download on local host and scan your home / small office network. Nessus / Tennable offers several plug-in’s for different types of scans. You could also do the basic scan, which we did in Ethical Hacking, but this won’t discover the Mirai vulnerability. You…[Read more]
- Load More
I think this would be fantastic innovation altogether to make security of IoT devices more efficient. However there has not been much progress made until today on the security of these applications against brute force attacks. Moreover, IoT itself is in a growing phase of technological development and this startup would definitely be an icing on the cake.