Menu

Tuesday, December 1, 2015

Data Governance & Security Solution to Prevent Internal Data Leakages

When your company expands, its is must to protect your company sensitive data without being stolen. Implementing security policies are indeed, however monitoring the policy violation would be impossible respective to the company growth. Even you bought the super firewall, it facilitates internet security from outside attackers, however minimum security for the internal data leakage.

Due to that facts, it is must to think about a complete internal data security solution rather risking your company sensitive data collection. Obviously, the question comes to your mind would be if company data has not been organized and categorized how should I start implementing such a solution?

Answer is simple, go for an enterprise solution which provides, complete data analyzing, modelling, permitting, auditing and recommending best resolutions. By considering these facts, Varonis is one of the powerful software solution which provides actionable data governance solutions for financial services, healthcare, energy, manufacturing and tech companies.

According to Varonis specification, it provides an innovative software platform that allows enterprises to map, analyze, manage and migrate their unstructured data. Varonis specializes in human-generated data, a type of unstructured data that includes an enterprise's spreadsheets, word processing documents, presentations, audio files, video files, emails, text messages and any other data created by employees. IT and business personnel deploy Varonis software for a variety of use cases, including data governance, data security, archiving, file synchronization, enhanced mobile data accessibility and information collaboration.

Following is the summary of Varonis tools, functionalities and respective features.

Varonis Tools
Functionalities
 Features
Remark
DataAdvantage Data audit and protection Bi-directional permissions view User permission view for each access point such as sharepoint, AD, mail, etc
Audit trail IO operations (open, create, delete, etc) in each access points
recommendation & modelling Based on who has permission & auditing, provide recommendations to control access
Data ownership identification Top access users for each access point
Content classification Anayze sensitive information (credit card No, Social security no, etc) and provide details on who has accessed and who is accessing those.
Multiple platform supportiveness Windows Severs, Unix, NAS devices, Exchange and public folders
DataAlerts User behaviour analytics Priviledge escalations
Critical file, folders, sites are accessed or deleted
Permissions are changed
Change is detected outside control hours
DataPrivilege Access governance Provide priviledge for business users to approve access requests No IT team support required
DataAnswers Enteprise search and eDiscovery Search folder and intranet for specific file or file metadata such as who created, opened, modified and who has access
DataAnywhere Enteprise file sync and share Turn your file share into a private cloud Private cloud features:-
- Access from mobile
- share with external parties
- Set permission
- Backup/ ID management / encryption / data classification
IDU Classification Framework Data classification Where in file system sensitive data resides
Who has accesss
Who should and shouldn’t have access 
Who uses it
Who owns it
Calculate risk percentage on data
Set prority for data based on risk
Alert on statistical deviation or spike in email/file access
Data Transport Engine Retention and migration Migrate live data  - Filter based on any criteria before migration
- Choose destination
- Set permission at the destination
- Schedule the migration
Migrate between two domains
Migrate data between windows to filshare or vice versa
Simulate migration

Are you satisfied with the above overall solution on data prevention?

I would still say no. Because even how depth it provides protection on analyzing and auditing data transfers still I could get a photo of your sensitive data collection or create a PDF version and send it to anybody. Major cons of Varonis is, it still not supporting image and PDF processing in order to governor the data content.

In that case, I would prefer to go for a solution such as NeoKami which is an Artificial Intelligent solution for governing data includes image and PDF processing as well. Comparatively, NeoKami doesn't provide all functionalities of Varonis. However, it is a powerful trainable AI solution facilitates advanced resolution for Data classification which Varonis provides.

Cheers..

Tuesday, November 10, 2015

Configuring Your DNS ZONE File

By overlooking most of the forum / blog posts regards to DNS configuration domains, it seems many people need to get the job done quickly, but no-body wants to spend little time to learn  and do it in the right way.

This blog post will be a quick reference for you to learn and configure DNS ZONE file in your domain.

What is DNS ZONE File

A DNS zone refers to a certain portion or administrative space within the global Domain Name System (DNS). The DNS Zone file is the representation of the DNS Zone - it is the actual file, which contains all the records for a specific domain. The zone file contains mappings between domain names and IP addresses and other resources, organized in the form of text representations of resource records (RR).


The Domain Name System specifies a set of various types of resource records (RRs), which are the basic information elements of the domain name system. Each record has a type (name and number), an expiration time (time to live), a class, and type-specific data.

Mostly used resource records (RRs) types are CNAME, A, MX, NS and SOA.


Canonical Name Record (CNAME)

A CNAME record maps a single alias or nickname to the real or Canonical name which may lie outside the current zone. Canonical simply means the expected or real name.

The following fragment shows the use of CNAME RRs to map web and ftp services to a single host.

name  ttl  class   rr     canonical name
www        IN      CNAME  server1
ftp        IN      CNAME  server1


Note:
CNAME RRs incur performance overheads. The most commonly use DNS queries are A RR for IPv4, or an AAAA RR for IPv6. Therefore it is recommended to use A RR records.

For more Info:


IPv4 Address Record (A)

An A record maps a domain to the physical IP address of the computer hosting that domain. Internet traffic uses the A record to find the computer hosting your domain's DNS settings. The value of an A record is always an IP address, and multiple A records can be configured for one domain name.

For example if you need to route posapp.example.com to your host IPv4 address and posapp is the owner-name which does not have a real host name of the PC or server, following is the format.

owner-name  ttl  class   rr     ipv4
alice            IN      A     192.168.254.3

If you need to route any non-existent sub-domain name to your host, for example *.example.com following is the format.

owner-name  ttl  class   rr     ipv4
   *              IN     A     192.168.2.1; 

A record for "@", represents the IP address for the root domain (mysite.com).

owner-name  ttl  class   rr     ipv4
   @              IN     A     192.168.2.1; 

Once you configure ‘*’ your domain name become a "naked" domain address. That’s mean you can simply type http://example.com and browse to your site.
When defining non-existent Host Names (or 'labels' in DNS jargon), in above example (alice or *) we need to follow certain standards specified in below articles.



Mail Exchange Record (MX)

Specifies the name and relative preference of mail servers (mail exchangers in the DNS jargon) for the zone. The MX RR is used by external SMTP (Mail) Agents to route incoming mail for the domain.

owner-name     ttl  class   rr  pref  name
example.com.   3w   IN      MX  10    mail.example.com.

The pref (Preference) field is relative to any other MX record for the zone (value 0 to 65535). Low values are more preferred. The pref field is used by the SMTP (Mail) Agent to select the most preferred (lowest pref value) mail server. If this mail server is unavailable (down or too busy) then if a lower preference mail server is defined (has a higher pref value) it is tried.

For More Info:


Name Server Record (NS)

A NS record or (name server record) tells recursive name servers which are authoritative for a zone.  Recursive name servers look at the NS records to work out who to ask next when resolving a name. You can have as many NS records as you would like in your zone file.   The benefit of having multiple NS records is redundancy of your DNS service. 

owner-name     ttl  class   rr     target-name
example.com.        IN      NS      ns1.example.com.


Following picture describes what authoritative name servers are:

For More Info:


Start of Authority Resource Record (SOA)

The SOA defines the global parameters for the zone (domain). There is only one SOA record allowed in a zone file it must be the first RR in the zone.

owner-name  ttl class rr    name-server email-addr  (sn ref ret ex min)
example.com.    IN    SOA   ns.example.com. hostmaster.example.com. (
                              2003080800 ; sn = serial number
                              172800     ; ref = refresh = 2d
                              900        ; ret = update retry = 15m
                              1209600    ; ex = expiry = 2w
                              3600       ; nx = nxdomain ttl = 1h
                              )
; the following are also valid using @ and blank 
@               IN    SOA   ns.example.com. hostmaster.example.com. (
                IN    SOA   ns.example.com. hostmaster.example.com. (

For More Info:



Monday, October 19, 2015

Short & Sweet Advice from Warren Buffett

I just found an old email and thought that still it is a valuable advice to be shared. This what billionaire investor Warren Buffett's advice during economic crisis happened during year 2009 however it's still  valid even after 6 years of time.


Sunday, January 8, 2012

Forwarding Outlook Emails to your public Email Account or to your Pager

I was searching ways of forwarding my Outlook emails to my mobile or either to my preferred public email accounts. Unfortunately all the easiest ways were blocked including email forwarding Outlook options, externally forwarding emails through a SMTP server and also forwarding mails from an external program. However, further studying on it I have found a way which is very interesting & no way of blocking it. That is by writing an Outlook Macro.

Using Outlook Macro option you can write a custom VB code as you want as well as trigger your particular code with Outlook events such as when a new email received, etc.
Also you can forward your Outlook emails to any email address, your mobile Pager address through your VB code in a totally customized way. You will be receiving the forwarded email to your public mail account or mobile as same way you sent through the Outlook.

There is no way your system administrator could find out that you are using such a Macro, however, there is a possibility that your mails are blocking from the SMTP server end and due to server failure your code may retrying it forever. Therefore, your administrators would find it due to incoming traffic and failures from your mail account.

So below is the code and use it with your own risk.  
1. MS Outlook 2007 > Tools > Macro > Visual Basic Editor  
2. Copy & paste below code  
3. Provide your public email address, Save and Run it.  
4. This will trigger when you receive a new email address and forward the content to given mail account. Further, you can enhance this as you want by writing events only for your custom Inbox folders, forwarding attachments, etc.

Private Sub Application_NewMail()
Dim objItem As Outlook.MailItem
Dim objMailItem As Outlook.MailItem
Dim sEmailAddress As String
Dim sSubject As String
Dim sBody As String ' Get the item that likely triggered the event.
Set objItem = Application.GetNamespace("MAPI"). _ GetDefaultFolder(olFolderInbox).Items(1) sSubject = objItem.Subject & " From: " & _ objItem.SenderName
sBody = objItem.Body
Set objMailItem = Application.CreateItem(olMailItem)
With objMailItem .Subject = sSubject .Body = sBody .Recipients.Add "YourPublicEmail@gmail.com" .Send End 
With Set objMailItem = Nothing

Thursday, February 19, 2009

Is Your Personal Email Account Being Hacked?

Did someone hack your personal Email/Facebook/hi5 accounts? Or did someone create any fake facebook/hi5/myspace profiles with your personal information? Yurp, Most of buggers are doing those things and having fun over it. Most of mails I received were regarding those matters and it seems most of girls facing those problems

So how do we find out the buggers who are trying to play against you? You may think they can be experts in computer programming and you are not much good enough to tackle them. Remember this; there is no one we can call as a genius unless they are really good enough depend on their experience. If so they won’t waste their valuable time to do those silly things rather than research on a new thing. So be Optimistic. The hacker's simple mistake will be enough to track him easily. In this post I’ll explain you few simple ways of locating hackers.

Basically the easiest way is to track his IP and locate him. The IPs can be dynamic or static. For example for website hosted servers or registered companies have static IPs. That assigned by your Internet Service Provider (ISP). It won’t change periodically. But our local machines IPs are dynamic. When we reset the router, our IP will be changed.

So how do we gonna track hacker's IP?? There are many ways of tracking IP. One way is allow him to click a link. That will be the easiest way unless the hacker uses any proxy browser. You can simply host a web page which locates IP of page requester and save it with the requested time. You can use an online free hosting server for it and pass that web page link in a tricky way to people that you want to track. The following php code stub will trace the IP of page requester and save it to a text file along with the requested time.

$clientip = $_SERVER['REMOTE_ADDR'];
$myFile = "testFile.txt";
$fh = fopen($myFile, 'a') or die("can't open file");
$thetime = time();
$stringData = "$clientip -- $thetime \n";
fwrite($fh, $stringData);
fclose($fh);
?>

Simply opening that text file you can get all IPs with accessed time.

So is that the only way to trace an IP? Nope there are many. Another way is if the hacker sent you a mail you can read the mail header information find out his IP unless he use Gmail. So what about Gmail? Actually most of hackers use Gmail to send mails. One advantage is, it doesn’t show senders IP and the other one is we can send anonymous mails using gsmtp.gmail.com server.
[For more information about anonymous mails see my previous post: -
http://gamenuwan.blogspot.com/2007/03/send-automatic-mail-using-smtp-server.html ]

Then if some one sent an email through yahoo/msn/etc how are we gonna find out? It’s simple. Go to you mail box options and set visible true to view full header of your email. Refer the following image of a yahoo mail header. The "Received: from [xxx.xx.xxx.xx]" is the sender's IP address.

Now you know few ways to trace someone's IP. After tracing the IP along with accessed Date and time how you gonna locate him?
First you can find out the location & registered names by searching it in IP lookup site.
Ex:- http://ip-lookup.net/, http://www.dnsstuff.com/

If he has a static IP you will be getting the registered name, location and some other information. But if he has a dynamic IP then the IP locating site will result the location and details of his Internet Service Provider (ISP). So you know the IP with accessed time. The ISP can locate him by tracing that mapped IP with time that he used it. The ISP has pool of IPs and dynamically mapped that IPs among users. So all the mapped IPs, Timestamps and the mapped user details should be logged on their servers.

Actually I explained you some simple methods to trace IPs. Those are more accurate and efficient methods. Other than that there are many other ways of tracing an IP.

Some other methods to trace hackers:-
- You can create a .swf with an action script in order to steal cookies, IP, etc and send it as an Email attachment
- If you know his email address you can send a messenger request and trace his IP while chatting. Ex:- You can share a file and run "netstat -a" in your command prompt or you can use WireShark tool I explained in my previous posts or You can use Sharp-IP-Getter to trace IP while chatting in the yahoo messenger]
- If you are familiar with Cross-site scripting (XSS), you can use malicious scripts to trace hackers or even to hack mail accounts.
- You can send a KeyLogger to monitor his all activities and received them via a mail.

Tuesday, August 19, 2008

How to access blocked websites?? -Torpark, the anonymous browser

I would like to introduce to you guys a something more useful and powerful which can use for the anonymous internet surfing. I received so many mails by asking how to unblock restricted websites. I explained in my previous posts about proxy sites and also listed some proxy sites which you can use to browse the internet anonymously. But it seems all those proxy sites have been blocked on your network. So what to do if the firewalls on your network block all your favorite websites and proxy sites as well??

Don’t worry still you have a solution.. That is the Torpark.

So what the hell is that and how does it do it huh??
First of all how your firewall blocks websites?
Basically it blocks websites by specified website URLS and by looking at keywords which has given by network administrator. For example FortiGate firewall has web filtering features such as URL/Keyword/Phrase Block, URL Exempt List, Content Profiles, Blocks Java Applet, Cookies, Active X, etc. In the FortiGate firewall content blocking enables you to specify file types and words that should have to block. With web content block enabled, every requested web page is checked against the content block list. The score value of each pattern appearing on the page is added, and if the total is greater than the threshold value set in the protection profile, the page is blocked.

That can be happened if the firewall can read and understand the content of incoming data packets. So what if the firewall can’t understand the content of incoming data packets?? That means the firewall can’t find out any specific URLs or keywords within that web content…

So that’s what exactly happened when we are browsing internet using Torpark. So let’s go in to the subject….

The Torpark is a combination of Mozilla FireFox browser and the Tor(Onion Router).
So what the hell is Tor??
Tor is an Internet based system which enables users to communicate anonymously on the Internet. The Tor network encrypts traffic between a computer and the Tor network of routers. The client side Torpark browser connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor provides a way for two parties - a connection initiator and a connection responder to communicate with each other anonymously. Which protects its communications against traffic analysis attacks. The all data packets are encrypted in a tunnel between your PC and the Tor network. After sending encrypted data to the Tor network, it will change the tunnels until it reach the internet as unencrypted. Also Tor network will be passing back data to your computer as encrypted and your Torpark browser is used to decrypt them and render it to user. So it will be bit slowly specially when establishing the circuit.

So now you see how hard it is for network observers (such as crackers, companies, and governments) to reliably learn who is talking to whom and for what purpose, by examining data packets flowing over the network since which used to communicate all data in an encrypted and anonymous way. And another good thing is Torpark browser is portable and you can run it in a USB drive as well.

So I think I am done with this post. Hope you all got the idea. So good luck you all.

You can Download Torpark using following Urls:-
http://www.download.com/Torpark/3000-2356_4-10586817.html?hhTest=1
Click here to Direct Download

For More Info:-
http://security.ngoinabox.org/ScreenShots/Torpark/manual.html
http://security.ngoinabox.org/Documentation/Manuals/chapters/Torpark.pdf
http://advosys.ca/viewpoints/2006/09/torpark-quick-look/
http://www.linux.com/articles/53394
http://news.softpedia.com/news/Anonymous-Portable-Web-Browsing-Via-Torpark-36123.shtml

Friday, February 29, 2008

Find Hackers and Security Holes Using WIRESHARK!!

Hi Guys,

Up to now I have done few posts regarding hacking.. On this post I would like to introduce you a great tool called "Wireshark" in order to find out security vulnerabilities in your network, in other word find out hackers who accessing your computer or the network .... huh
The scenario is like this;
Think you are currently working on a computer network. There are thousands of computers. You feel someone is monitoring on you or someone is accessing your PC or someone is sniffing your yahoo chats or else you need to know which sites, IPs and Ports you are currently connected through your PC.

Test this command on your Windows Command Prompt:-

C:\>netstat -a

If you type that command on you Windows Command Prompt you could find out all the sites, IPs and Ports and people who currently accessing you computer. But if there is a serious hacking is going on its not enough to find out the bugger.

So lets move on to the topic.
Wireshark (formerly known as Ethereal) is an extremely valuable tool which capable to scan Wireless and Ethernet data and comes with some robust filtering capabilities. In another words Wireshark is a network protocol analyzer, or “packet sniffer”, that captures and shows contents of network frames. It runs on Unix/Linux, and Windows. Wireshark uses the WinPcap project to capture packets (lipcap on Linux).

If you are a network administrator it would be really useful to control your network interface and find security holes. Even the Linux platform is vulnerable to attacks. This is an open source network packet sniffing product that would watch on DNS, TCP, UDP, HTTP and most the known network protocols.

You can see the content of the captured data packets as well. If some other data packets going though your network location that would be captured as well. For example you can see the data packets received to the PCs that next to you. By looking at the content of data packets you can read their chat records as well.


Download Wireshark:-
http://www.wireshark.org/download.html
http://sourceforge.net/projects/wireshark/


Website:-
http://www.wireshark.org

Basic User Guides:-
http://portforward.com/networking/wireshark.htm
http://zone.ni.com/devzone/cda/tut/p/id/6746


Advanced User Guides:-
http://www.wireshark.org/docs/wsug_html_chunked/
http://ftp.uni-kl.de/pub/wireshark/docs/user-guide-us.pdf


Other References:-
http://www.willhackforsushi.com/books/377_eth_2e_06.pdf

Note:- This is an extremely powerful tool. If you are not a Network Administrator, be careful when you use this tool. Because if you run this tool on your machine which connected to a network, your Network Administrator can find out that you are using a Sniffing Tool. Because when you run it always there is a network traffic comes to your computer.

Thursday, January 24, 2008

Windows Management Instrumentation! Its coool! :-)

hi guys,

I just like to give you a brief idea about WMI interface. Actually it’s a kind of efficient way to access OS resources using programming modules. In another words it’s a bridge between your Windows OS and programming interface. Using WMI interface you can programmatically change computer settings as well as do many operations which your administrator can do on your computer.

Actually it was very helpful for me once my PC infected with a damn virus and all administrative settings were disabled coz of it. So what I have done was I used WMI interface to access to OS resources including registry entries to change some settings. As well as if you are a developer it’s wide area you need to study.

Basically WMI used WMI Query Language (WQL) to manipulate system resources. It’s just like SQL queries; if you are familiar with SQL it’s easy to make adjustment to WQL. Actually it’s hard to give a clear definition on this, but try to think like WMI as a repository of properties and methods related to the system environment that you canaccess like a database.

You need a few different objects to perform WMI queries in .Net. They include the following:

(all within System.Management namespace)
ConnectionOptions
ManagementScope
ObjectQuery
ManagementObjectSearcher
ManagementObjectCollection
ManagementObject

Here is a sample program that I used to search folders

public static void FindFoldersByName(string strName)
{

try
{
// Execute WMI Query and wait for result
WqlObjectQuery wqlObjectQuery = new WqlObjectQuery
("SELECT Name FROM CIM_Directory WHERE FileName = '" + strName + "'");
ManagementObjectSearcher searcher = new ManagementObjectSearcher(wqlObjectQuery);
ManagementObjectCollection collFolders = searcher.Get();

// Display each folder path...
foreach (ManagementObject folder in collFolders)
{
string strCurrentPath = folder.Properties["Name"].Value.ToString();
MessageBox.Show(strCurrentPath);
}
}
catch (Exception ex)
{
MessageBox.Show(ex.ToString());
}
}

More on this:-
http://msdn2.microsoft.com/en-us/library/aa394582%28VS.85%29.aspx
http://msdn2.microsoft.com/en-us/library/aa510211.aspx
http://www.codeguru.com/csharp/csharp/cs_network/wmi/article.php/c6035/#WMI


Thursday, September 20, 2007

Weird development of Keyloggers..

How comfortable would you be if you can read someone's every single word that typed, including email messages, passwords, and IM conversations and so on? Definitely you may feel its really awesome, in other end you may feel its terrible if you knew someone out there monitoring on you. It can and does happen via a bit of code known as a keylogger. A keylogger is a computer program that logs each keystroke a user types on a keyboard and saves this data into a file or transfers it via the Internet to a predetermined remote host. The keyloggers represent a serious threat to your computer’s security and personal privacy. It’s a kind of weird development in computer history

Basically there are two types of keyloggers

1) H/W keyloggers and
2) S/W keyloggers


Hardware Keyloggers plug in between a computer keyboard and a computer and log all keyboard activity on an internal memory.They are designed to work with PS/2 keyboards, and more recentlywith USB keyboards.

Hardware keyloggers have an advantage over software keyloggers as they begin logging from the moment a computer is turned on (and are therefore able to collect a BIOS password for instance), and do not require software installation (unlike software solutions).

But the SW keyloggers are much more powerful than the H/W keyloggers because now they are integrated with some Spy wares as well. Also we could find out HW keyloggers easily but to find an installed SW keylogger is a really hard job. It will entirely monitor what you have typed on your computer also processes currenly running on your computer as well as able to send keytrokes, chats, websites, screenshots of you computer desktop and passwords periodically as an email attachment or FTP to unknown parties. All the things are running as a hidden background process and you can’t view that process through the normal task manager.

Also some keylogger soft wares allow you to install it on a remote PC on your network or sent it to someone as an email attachments.


Here are some keyloggers I found in rapidshare.com

I suggest you to use it for some testing and educational purposes only, but if you try to use it in order to hack or to damage someone's PC, remember that there are some ways to find out who exactly installed the keylogger and currently monitoring.

Tuesday, June 5, 2007

Cross Site Scripting (XSS) Vulnerabilities..

Hi ppl.. I was searching and working with some Cross Site Scripts (XSS) on past few weeks. So I'm interesting to give a brief idea about XSS Vulnerabilities of websites and mail accounts ..

By the way,, What is XSS??? What kind of things XSS can do???
XSS stand for cross-side scripting and you can do many things when you get to know about XSS.. For example you can login to someones mail account, destroy a website or do what ever things you want in a website.

Cross-site scripting is an attack that takes advantage of a Web site vulnerability in which the site displays content that includes unauthorized user-provided data. For example, an attacker might place a hyperlink with an embedded malicious script into an online discussion forum. That purpose of the malicious script is to attack other forum users who happen to select the hyperlink. For example it could copy user cookies and then send those cookies to the attacker.Sometimes attacker will send you a mail included with a malicious script. When you open it the script will execute and steal your cookie.

Different types of XSS attacks

1. DOM based or local XSS
-Precondition: the vulnerable page uses data from the document.location, document.URL or document.referer properties in an insecure manner.
-The payload is never located in the html but in the URL. Thus also works with static pages.
-Only works with browser which do not modify the URL characters (of course IE 6.0 does not...)
-Used with social-engineering.

2. Non-persistent or reflected XSS
-Such holes show up when data provided by a web client is immediately used by the server to generate a page of result.
-Payload vector: mostly malicious URLs/links
-Used with social engineering.

3. Stored, persistent or second-order XSS
-The payload is stored on the server.
-Used with or without social engineering.