Determining User Count on Websense (Forcepoint)

It is very important to see how many users your Websense proxy counted today, because if you exceed the number of your licence, it means your clients will not be blocked in that day anymore. To see the count, login to SQL Server Management Studio in Triton Manager server, and open a "New Query" window for the catalog database like that;

and run the query below. It will show you the number of the clients that Websense counted in last 100 days.


SELECT TOP (100) PERCENT DAY(date_time) AS day, MONTH(date_time) AS month, YEAR(date_time) AS year, COUNT(DISTINCT source_ip_int) AS ip_count

FROM dbo.incoming WITH (NOLOCK)

GROUP BY DAY(date_time), MONTH(date_time), YEAR(date_time)

ORDER BY month desc, day desc

"Additional forensics data is not available" error in Websense (Forcepoint) DLP

Sometimes, while DLP is working fine, you can encounter "Additional forensics data is not available" error in the "Forensics" tab of the incident. This means you cannot see the details of the incident.

It has a very simple solution;

1-  Stop the DSSManager service and rename the following folders:

1. %DSS_HOME%\tomcat\work > work.old
2. %DSS_HOME%\tomcat\logs > logs.old
3. %DSS_HOME%\tomcat\temp > temp.old

2- Create a new %DSS_HOME%\tomcat\temp folder and restart the DSSManager service.

Websense says that you should not lose any incident in this scenario, and I have tried a few times, I really did not lose any incident. 

What Happened to Yahoo!?

Yahoo has confirmed that a copy of certain user account information was stolen from Yahoo systems in 2014. Despite the acceptance of the data leakage, it is not certain what type of data has stolen. According to Yahoo, the data may include names, e-mail addresses, phone numbers, dates of birth, hashed passwords, and security questions and answers. If you are lucky, just one or two of them may be stolen for your account.

Yahoo now does not allow people access accounts with unencrypted security questions and meanwhile, they continue to detect unauthorized access to user accounts.

If you have a Yahoo account, change your password and security questions for any other accounts on which you used the same or similar information used for your Yahoo account as soon as possible, and review your accounts for suspicious activity.

For more information about the issue, please visit https://yahoo.com/security-update.

Phishing Technique and Its Success

Phishing is a social engineering technique that manipulating people to perform some actions as the attacker wants. The attacker prepares an e-mail as if it was sent from a known individual or organization, and leads the victim to click on a link that will take the user to a malicious website or download some malicious file, or to a fraudulent website that appears legitimate so the victim enters his username and password or some more individual information about himself.

Phishing is a very successful technique because people do not visit websites carefully or they do not have much time to be more careful, to investigate about the website or e-mail. One of the reasons may be that they did not become a victim before, or maybe they do not know even if they were. People easily trust brands and/or logos and influential texts. There is a lack of information assurance knowledge.

How Does Phishing Works?

Countermeasures

The most effective defense against phishing is creating user awareness. One employee that you do not improve his awareness can cause to be hacked.

            “You are as strong as the weakest link in your defense system” Sun Tzu

Do not let your clients use company e-mail addresses in Internet for personal usage. Spammers search internet for the e-mail addresses used by company to send the spam mail to more users.

Never respond to spam, or click on “unsubscribe” links from questionable sources.

Make sure your antispam solution works J

Use Proxy servers in company, for clients’ internet usage. A Proxy server that has a dynamic scanning feature can decrease the possibility to be hacked by phishing. Even if the user opens the link in the e-mail, the Proxy would not let him to enter the website.

Even if it is not enough for your security, ensure that all employee’s PCs, and antivirus agents are up to date.

Getting hostname from an IP address list with PowerShell

To get the list of hostnames of a network, first create a txt file with includes one ip address in each line (ip_list.txt). You can get the hostname list (hostname_list.txt) of the IP addresses that you wrote in the ip_list.txt file with using the script below;

get-content C:\ip_list.txt | foreach-object{([system.net.Dns]::GetHostByAddress
($_)).hostname >> "C:\hostname_list.txt"
}


If you also want to see the IP addresses that cannot be resolved, you can use the script below;

get-content C:\ip_list.txt | foreach-object{$a=([system.net.Dns]::GetHostByAddress
($_)).hostname
if($? -eq $False) {
add-content C:\hostname_list.txt $_, "Cannot resolve hostname"," "
}
elseif($? -eq $True){
add-content C:\hostname_list.txt $_,$a," "
}}


We made a tiny application and published it in sourceforge for resolving hostnames from an IP Address list, and for the opposite of it. Hope you like it.
http://secureeo.blogspot.com.tr/p/ip-hostname-converter.html

Internet of Things and DDoS

IoT (Internet of Things) transforms the industries with the ability to connect, communicate with, and remotely managed automated devices via internet. This is the future in today, but the main problem is that it is relatively new in the industries. Because of the new concept, and the high and fast competition of the manufacturers, security has not always been considered in product design. In this case of competition, it is more important to put the product on the market faster. Furthermore, they cannot keep pace with rapidly changing techniques of hacking. Many IoT products are sold with old and unpatched embedded operating systems and software.

We already heard that IoT devices been targeted by malwares. However, concepts of the attacks to IoT devices are changing day by day. The attackers are more interested in to use these devices to perform DDoS attacks.

You can find a detailed investigation about the DDoS attacks made by IoT devices in Symantec’ s new blog;

http://www.symantec.com/connect/blogs/iot-devices-being-increasingly-used-ddos-attacks

It seems, these types of attacks will increase day by day, with the increasing diversity of the IoT devices. 

Import and Export Data (ldif file) to IBM Tivoli Directory Server

It is recommended to import and export groups and users separately. To make this;

On Source:

     A: Exporting groups

         
 idsdb2ldif -o groups.ldif -k CryptoSeed -t CryptoSalt -s cn=groups,dc=...,dc=com

          This process must finish with something like "62 entries have been successfully exported from the directory."

     B: Exporting users

          idsdb2ldif -o users.ldif -k CryptoSeed -t CryptoSalt -s cn=users,dc=...,dc=com

          This process must finish with something like "35304 entries have been successfully exported from the directory." *number of entries can vary.

After creating, transfer groups.ldif and users.ldif files to the target directory server.


On Target:
   
     1- Stop ldap server:
          idsslapd -k

     2- Import groups:
          idsldif2db -i groups.ldif

     3- Import users:
          idsldif2db -i users.ldif

          This process must finish with something like "35304 entries have been successfully added out of 35304 attempted."

     4- Start back ldap server:
          idssldapd


* It d be nice to check ibmslapd.log file at this point to see whether there is an error on ldap server, and check the replication status.  

Who wants to use Google Allo?.

Google Allo is a new announced chat app and it has really a new perspective as it does not make end-to-end encryption unlike its competitors :S

But what does it mean for messaging to make end-to-end encryption? Encrypted messages cannot be read by anyone other than the recipient, even if they are intercepted during the exchange. If the messages or the line does not encrypted, the messages can be read in such a case.

Google does not enable end-to-end encryption because it will be used for their business objectives.

This is not the only bad news about the Allo. Google declared that in the new versions, Allo will keep the messages persistently, until the user delete them.

"The version of Allo rolling out today will store all non-incognito messages by default — a clear change from Google’s earlier statements that the app would only store messages transiently and in non-identifiable form. The records will now persist until the user actively deletes them, giving Google default access to a full history of conversations in the app. Users can also avoid the logging by using Allo’s Incognito Mode, which is still fully end-to-end encrypted and unchanged from the initial announcement."

At least, Google says that the messages will be stored as encrypted on their servers.

"Like Hangouts and Gmail, Allo messages will still be encrypted between the device and Google servers, and stored on servers using encryption that leaves the messages accessible to Google’s algorithms."

Finally, we just wonder about who really wants to use Goolge Allo for secure messaging?

How To Send E-mail Using Telnet

To send an e-mail, basicly your computer connects to the remote mail server  and talks to it using SMTP (Simple Mail Transfer Protocol).

Previous blog was about sending e-mail with PowerShell. If you do not like PowerShell :S and want to use cmd, this can work for you.

You can use Telnet. To send an e-mail using Telnet;

Telnet  <smtp_server_ip>  25
HELO
501 Syntax: HELO hostname
MAIL FROM: test@test.com
250 2.1.0 Ok
RCPT TO: reccipient@test.com
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
SUBJECT: <Subject>
<body> .

(You must finish your e-mail with a dot (.) ) 

Sending e-mail with Powershell

To send an e-mail, basicly your computer connects to the remote mail server and talks to it using SMTP (Simple Mail Transfer Protocol).

When you use an e-mail client like MS Outlook, the mail client makes all of them for you, however when you make a script and want it send e-mail for alerting, it is not possible to do it with an e-mail client. So, a script like below will solve your issue; here, I do not write explanation of some of the lines since most of the variable names are explaining what it is used for.




########### SMTP SERVER AND MAIL SETTINGS #############

$smtpServer = "smtp.secureeoposts.blogspot.com"
$smtpPort = 587  #It depends according to your smtp server
$sslEnabled= $true  #If your smtp server does not support secure connections,
                                 #you have to delete this line
$username = sender@secureeo.blogspot.com
$password = "************"  #Type your password here
$from = sender@secureeo.blogspot.com
$to = receipent@secureeo.blogspot.com
$subject = "Test e-mail with Powershell"
$body = "This is a test e-mail sending with using Powershell"



###############  E-MAIL SETTINGS ###############

$smtp = new-object Net.Mail.SmtpClient($smtpServer, $smtpPort)
$smtp.sslEnabled = $sslEnabled #If your smtp server does not support secure
                                                     #connections, you have to delete this line
$smtp.Credentials = new-object Net.NetworkCredential($username, $password)
               $msg = new-object Net.Mail.MailMessage
               $msg.From = $from
               $msg.To.Add($to)
               $msg.Subject = $subject
               $msg.Body = $body
               $attachFile = "C:\Users\securityposts_PC\Desktop\email_test\email_test.PNG"
               $att = new-object Net.Mail.Attachment($attachFile)
               $msg.Attachments.Add($att)
               $smtp.Send($msg)