Leonard Nelson http://www.leonelson.com Personal blog of Leonard Nelson talking about technology, education, customer relationship management, customer service and Africa. Thu, 20 Oct 2016 12:58:50 +0000 en-US hourly 1 20977839 SSH Server Auditing http://www.leonelson.com/2016/10/16/ssh-server-auditing/ http://www.leonelson.com/2016/10/16/ssh-server-auditing/#respond Sun, 16 Oct 2016 23:30:51 +0000 http://www.leonelson.com/?p=2765 SSH-Audit is a tool for SSH server auditing.


  • SSH1 and SSH2 protocol server support;
  • Grab banner, recognize device or software and operating system, detect compression;
  • Gather key-exchange, host-key, encryption and message authentication code algorithms;
  • Output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);
  • Output algorithm recommendations (append or remove based on recognized software version);
  • Output security information (related issues, assigned CVE list, etc);
    analyze SSH version compatibility based on algorithm information;
  • Historical information from OpenSSH, Dropbear SSH and libssh;
    no dependencies, compatible with Python 2.6+, Python 3.x and PyPy;

Source: SSH Server Auditing

http://www.leonelson.com/2016/10/16/ssh-server-auditing/feed/ 0 2765
Mindset http://www.leonelson.com/2016/08/04/mindset/ http://www.leonelson.com/2016/08/04/mindset/#respond Fri, 05 Aug 2016 00:30:54 +0000 http://www.leonelson.com/2016/08/04/mindset/

If you take two people, one of them is a learn-it-all and the other one is a know-it-all, the learn-it-all will always trump the know-it-all in the long run

– Satya Nadella on culture at Microsoft, inspired by Carol Dweck’s book, Mindset.

http://www.leonelson.com/2016/08/04/mindset/feed/ 0 2741
Inspecting a PDF File http://www.leonelson.com/2016/04/15/inspecting-pdf-file/ http://www.leonelson.com/2016/04/15/inspecting-pdf-file/#respond Fri, 15 Apr 2016 11:02:00 +0000 http://www.leonelson.com/?p=2690 I recently had to complete some work with inspecting a PDF file for malicious content. This was an interesting experience so I thought I’d share the approach I took to review the file from a sandboxed environment:

1. Start with using a service such as virustotal.com, scanii.com, metadefender.com to scan the file

2. Use Adobe Acrobat to browse the internal PDF structure. Launch the PreFlight Tool (Print Production > Preflight) and then under Options select Browse Internal PDF Structure.

3. Use an Adobe PDF meta data application to inspect the file. Here are some I used that were quite helpful:

peepdf.py – PeePDF is a Python based tool to explore PDF files

pdfid.py – PDFID is a Python based tool to scan the file looking for certain PDF keywords. For e.g., does the file contain JavaScript or execute an action when opened

pdf-parser.py – PDF-Parser is a Python based tool to parse a PDF document and identify the fundamental elements used in the file.

Additional Reading:

  1. Checking a PDF for exploits
  2. Viewing PDF objects
  3. PDF Tools from Didier Stevens
  4. Best tool tool for inspecting PDF files?
  5. PDF malware analysis

Additional Tools:

  1. GhostScript
  2. GSView
  3. PDF Validator Online Tool
  4. PDFMiner
http://www.leonelson.com/2016/04/15/inspecting-pdf-file/feed/ 0 2690
Care http://www.leonelson.com/2016/04/08/care/ http://www.leonelson.com/2016/04/08/care/#respond Sat, 09 Apr 2016 01:52:02 +0000 http://www.leonelson.com/?p=2687

Your circumstances can lead you to believe God doesn’t care but your history will prove that he does

– Pete Wilson

http://www.leonelson.com/2016/04/08/care/feed/ 0 2687
Information Security Primer for Evaluating Software http://www.leonelson.com/2016/04/08/information-security-primer-for-evaluating-software/ http://www.leonelson.com/2016/04/08/information-security-primer-for-evaluating-software/#respond Fri, 08 Apr 2016 11:07:49 +0000 http://www.leonelson.com/?p=2685

Common Sense Graphite is a site by teachers, for teachers that helps you find the best educational technology resources and learn the best practices for implementing them in your classroom. Brought to you by Common Sense Media: Empowering kids to thrive in a world of media and technology.

Source: Information Security Primer for Evaluating Educational Software

http://www.leonelson.com/2016/04/08/information-security-primer-for-evaluating-software/feed/ 0 2685
Vendor Security Assessment Questionnaires http://www.leonelson.com/2016/03/18/vendor-security-assessment-questionnaires/ http://www.leonelson.com/2016/03/18/vendor-security-assessment-questionnaires/#respond Fri, 18 Mar 2016 13:19:52 +0000 http://www.leonelson.com/?p=2676 When sharing data with a vendor, it is important to ensure that the vendor will handle your data with the same level of care and protection that your organization expects or requires.

Google has just released an interactive questionnaire application to help support these security reviews by facilitating not only the collection of information, but also the redisplay of collected data in templated form.

You can test the Google Vendor Security Assessment Questionnaire or contribute and setup your own questionnaire using the source. Specific questionnaires are available below:

http://www.leonelson.com/2016/03/18/vendor-security-assessment-questionnaires/feed/ 0 2676
Censys Search Shortcuts http://www.leonelson.com/2016/03/16/censys-search-shortcuts/ http://www.leonelson.com/2016/03/16/censys-search-shortcuts/#respond Thu, 17 Mar 2016 03:13:52 +0000 http://www.leonelson.com/?p=2661 Use Censys to discover which of your devices are connected to the Internet, where they are located and who is using them.

Censys supports both full-text searches and structured queries. The search Dell will find any hosts where the word Dell appears. However, you can also compose more complex queries. For example, the query ip: AND metadata.manufacturer:”Dell” will find any Dell devices in the specified network.

Boolean Logic
You can compose multiple statements using AND, OR, NOT, and parentheses. For example, (“Schneider Electric” OR Dell) AND ip: By default, all terms are optional (e.g., executed as an or statement) unless specified otherwise.

You can search for ranges of numbers using [ and ] for inclusive ranges and { and } for exclusive ranges. For example, 80.http.get.status_code:[200 TO 300]. You can search for IP addresses using CIDR notation, e.g., ip: Timestamps should be queried using the following syntax: [2012-01-01 TO 2012-12-31].

By default, Censys will search for complete words. In other words, the search Del will not return results with the word Dell. If you want to search for words that start with Del, you would search for Del*. You can also search for D?ll.

DNS Queries
You can perform inline DNS A and MX queries using the following syntax: a:facebook.com and mx:gmail.com.
Regular Expressions
You can also search using regular expressions, e.g., metadata.manufacturer:/De[ll]/. Full syntax is available here.

The boost operator (^) can be used to make one term more relevant than another. For example, metadata.manufacturer: Dell^2 OR Schneider Electric puts more preference on the Dell keyword.

Reserved Characters
The following characters must be escaped with a backslash: + – = && || > < ! ( ) { } [ ] ^ ” ~ * ? : \ /

http://www.leonelson.com/2016/03/16/censys-search-shortcuts/feed/ 0 2661
Symantec Endpoint Protection Versions http://www.leonelson.com/2016/03/05/symantec-endpoint-protection-versions/ http://www.leonelson.com/2016/03/05/symantec-endpoint-protection-versions/#respond Sat, 05 Mar 2016 14:32:34 +0000 http://www.leonelson.com/?p=2659 Symantec has a full list of Symantec Product Versions and release dates at Symantec Endpoint Protection, however, the Symantec Endpoint Protection Wikipedia page appears to be maintained more frequently.

RTM – Release To Manufacturing

MR – Maintenance Release (replaced by RU)

RU – Release Update

MP – Maintenance Patch

PP – Point Patch

Source: Symantec Endpoint Protection

http://www.leonelson.com/2016/03/05/symantec-endpoint-protection-versions/feed/ 0 2659
Malware detection and tracking of new autoruns using PowerShell http://www.leonelson.com/2016/02/24/malware-detection-and-tracking-of-new-autoruns-using-powershell/ http://www.leonelson.com/2016/02/24/malware-detection-and-tracking-of-new-autoruns-using-powershell/#respond Wed, 24 Feb 2016 14:41:30 +0000 http://www.leonelson.com/?p=2656 PowerShell script to scan autoruns and validate if the executables are signed or not.

Source: PowerShell: Malware detection and tracking of new autoruns

http://www.leonelson.com/2016/02/24/malware-detection-and-tracking-of-new-autoruns-using-powershell/feed/ 0 2656
Business Email Compromise http://www.leonelson.com/2016/02/16/business-email-compromise/ http://www.leonelson.com/2016/02/16/business-email-compromise/#respond Tue, 16 Feb 2016 14:59:24 +0000 http://www.leonelson.com/?p=2637 Add one more email scam reference to your lexicon. Business E-mail Compromise (BEC) scams, also known as CEO fraud, usually involve spoofing an executive’s email address and/or gaining access to that executive’s inbox through a phishing scam. Once access is obtained or the executive’s email address is spoofed, specific individuals are targeted in the organization for fraudulent wire transfers.

The Business E-mail Compromise (BEC) is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. Formerly known as the Man-in-the-E-mail Scam, the BEC was renamed to focus on the “business angle” of this scam and to avoid confusion with another unrelated scam. The fraudulent wire transfer payments sent to foreign banks may be transferred several times but are quickly dispersed. Asian banks, located in China and Hong Kong, are the most commonly reported ending destination for these fraudulent transfers.

Source: Business Email Compromise

http://www.leonelson.com/2016/02/16/business-email-compromise/feed/ 0 2637