Wednesday, March 24, 2010

Weakspot in the Company Servers


Before we get started, let me conceptualize the following:
There are always 2 distinguish types of people in your company: Management or Technical

Ok, now let us proceed to the next thing, the network architecture.



For example, this is the network architecture for a company:


















As you can see, the network environment is divided into the internal network for the company, the external network for their clients and the De-militarize Zone (DMZ). The DMZ are usually protected by a lots of firewalls and Intrusion Detection System (IDS) . Let's say the interaction between the clients to proxy server and to application server are using the SSL 2 and TTLS (Oh yeah, it's a standard secured and properly tunneled system), and everything seems so secure, as the Technical told to the Management :) Management would definitely satisfied, as it's all covered up by the expected budget.



Now here's a thing, most of the companies, does NOT have the secured internal network. Especially when the application servers are interacting to other servers, are not encrypted. The data (eg. username and password) are transmitted in clear plain-text. It's because the server to server encryptions and secured communications required additional financial and human resource, thus increases the project budget and eventually leads to a bad project.



From the management P.O.V, it's unnecessary and can be labelled as the managed risk. Yes, they don't believe in James Bond :-) Now, if you refer back to the network architecture, you'll notice that there's an Lightweight Directory Access Protocal (LDAP) server. Now you might think, all the usernames and passwords are nicely encrypted, and you're right~!!! It's ONLY nicely encrypted when the LDAP server response to the Application server, but when the Application server response to the LDAP server, usually and mostly it's NOT even encrypted. In fact, poorly configured Web Application server will also triggered the LDAP server to dump a lot of sensitive data back to the Web App server in plain text. With a simple sniffer and with the condition you're taping to the selected web app server, your job can be done easily :-) (You're Micheal Western ^^)

Therefore, next time when you're looking for a leak, this might be one of the possible weakspots.

Monday, March 15, 2010

Is Your Email being Watched?


Most of the time, we as the email service users are worried if the emails are being read by someone else. When the email itself contains the confidential data or attached documentations, we might start wondering if there's other more secured email service provider available.


General Facts:
Yes, it's possible that your emails can be read by system administrator at the company which is hosting your email.

Odd of occurrence:
Nearly impossible. Apparently the emails are routed on the servers which are owned by many government and private sector organizations. The numbers can be thousands or more. Let's say if a system administrator would like to capture a particular email and read it. Consider more than 2 million emails are sent every second, and thousands of paths available for email to move through randomly, it could be difficult and unpredictable.

What if someone hit the Jackpot:
Yes, no matter how low the chances, there's always 0.000000001% (amazing or wonderful occurrence) a.k.a Miracle.


Here's the good practices:
If you're sending highly confidential data via emails, make sure your attachments are encrypted. So does your message bodies. And try not to be explicit on your email title, as long as the sender and the receiver understand each other.
If it's for the company or bank or government, the best practice is to use their provided online email or forms. It's because the message is encrypted between your machine and their server through the internet (Make sure it's a https://)

Everyone keep on saying encryption, how to do that:
Please visit the following link: http://www.truecrypt.org/

It is a free encryption software, and certainly reliable (So far). You can perform self-encryption and only the receiver that has the your password is able to decrypt the encrypted documents.











Last Word

Be extremely cautious in the cyber world, things might get really HOT if you lost your focus.

Tokei

 

Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com Free Blogger Templates: BIG THANKS FROM SPICY VIRUS