GeoIPgen – Country-to-IPs generator. Geographic IP generator for IPv4 networks.

Download http://geoipgen.googlecode.com/files/geoipgen-0.4.tar.gz
Latest Version 0.4, 7th March 2009
License BSD
Author Andrew Horton aka urbanadventurer, MorningStar Security

Introduction

GeoIPgen is a country-to-IPs generator. It’s a geographic IP generator for IPv4 networks that uses the MaxMind GeoLite Country database.

Geoipgen is the first published software that uses a geographic ip database in reverse to translate from country-to-IPs instead of the usual use of IP-to-country to produce the complete set of IP addresses for a country. Previously software has generated IP address ranges so that entire countries can be blocked by a firewall and the technique used by geoipgen has been discussed before by the GNUcitizen researchers.

I love any tool that makes use of MaxMind’s geolocation database. This one is no exception.

A couple weeks ago, Biz explained how Twitter users were being victimized by phishing scams spread primarily through links in Direct Messages. Basically, people click the link and bad things happen. My team can only detect these scams after malicious links have already been sent out.

Today, we’re launching a new service to protect users that strikes a major blow against phishing and other deceitful attacks. By routing all links submitted to Twitter through this new service, we can detect, intercept, and prevent the spread of bad links across all of Twitter. Even if a bad link is already sent out in an email notification and somebody clicks on it, we’ll be able keep that user safe.

A much needed step.

The Department of Homeland Security’s top cybersecurity official told CNET on Wednesday that the department may eventually extend its Einstein technology, which is designed to detect and prevent electronic attacks, to networks operated by the private sector. The technology was created for federal networks.

Scary times.

Web authentication and security firm VeriSign has expanded its mobile, cloud based authentication service to the Android platform.

The VeriSign Identity Protection (VIP) Access for Mobile application is a free tool which turns a into user’s mobile device into VIP credentials for strong authentication, requiring a username, password and a unique one-time six-digit security code, the firm said.

Excellent news for Android users out there.

When creating a web application that accepts input from users one important step to ensure that you application is secure, is assigning a maximum length to user input.  Keep in mind that input length validation is just the tip of a very large iceberg when it comes to web application security, but it is a good first step.  It’s safe to say that if someone is trying to put in 1200 characters for their first name that something fishy is going on.

As much as I love ASP.NET I’ve found that it can easily lull some programmers into a false sense of security when it comes to input length validation.  To demonstrate what I am talking about I have put together a small application that will show how simple it is to pass longer than expected input to an application that would appear (to the uninformed programmer at least) to limit input length.

To begin I have created the basic aspx page below.  Notice the MaxLength attribute that is highlighted in red:

It’s funny how people think they’re so unique. I just found out my cousin Abe (say hello to him at abemiester.com)–who I’ve spoken to all of about 3 times for a grand total of less than 10 minutes since we were children–is not only in IT, but is heavily interested in Application Security. This happens to be what I do for a living as well.

Check out this post of his on how .NET tries to pass off client-side testing as “validation”. Indeed, Abe. If you didn’t check on the server side, you didn’t check.

So… in 45 minutes the room had gone from non-believers to realizing they not only had a massive SQL Injection problem – but had also been rooted and were now distributing the Zeus bot from one of their main websites.

I’m guessing he got in the door with this… :)

Penetration testing is all about achieving goals and not about finding vulnerabilities.

Another one who gets it. I wrote about this a while back in my post, Vulnerability Assessments vs. Penetration Tests.

Many very smart people in infosec completely miss (my opinion) the point on this–including Johannes Ulrich, CTO of SANS. He thinks that the definition of a *poor* pentest is going after a single goal and not finding *ALL* the vulnerabilities.

My point, and presumably Joshua Abraham would agree, is that there is already a name for a test where you enumerate vulnerabilities. It’s called a vulnerability assessment.

Very simple: If you’re making a list of problems, it’s a vulnerability assessment; if you’re trying to exploit whatever you find in order to accomplish a specific goal, it’s a pentest.

Salt or no, if you’re using a general-purpose hash function designed for speed you’re well and truly effed.

bcrypt Solves These Problems

How? Basically, it’s slow as hell.

An interesting topic I’ve been studying recently: how to build a secure password storage system. This is an important component of that, i.e. use slow algorithms.