Does your email address password need to be changed?

I was going through my newsfeed today when I happened upon a post from Naked Security. The post discussed a site set up by Daniel Grzelak where you could check your email to see if it had been posted as a result of the various recent break-ins.

From the Naked Security Post:

Daniel doesn't store your email address after you've looked it up - so he can't spam you even if he wanted to, which he doesn't - and he's not accumulating a list of email addresses which spammers might like to break in and steal. And he doesn't keep any of the stolen databases on his server, so he's not offering a handy-to-hack repository for unlawfully-acquired loot, either.

To check your email address, go to:  https://shouldichangemypassword.com.

New HP-UX and Android STIGs released

DISA has released a draft version of the Android 2.2 and HP-UX 11.23 STIGs.

A meeting for the Android STIG has been set for June 30, 2011.

Using a .audit file with Nessus to scan a host

I've created this post because I couldn't find detailed directions.  Here's what took me down this path.  Auditing Windows 7 machines is a laborious task; there is no easy way to do it without sitting down with the DISA checklist and going through each check one by one.  As we move to SCAP-based tools, we should be able automate this; either by using OVAL and an XCCDf file, or using Retina and the XCCDF wizard.  I've started playing around with both of those methods, and I'm not 100% there yet.  I get them to run, but the results are not exactly what I expect.

One of my co-workers asked me about i2a, a utility put out by Tennable that converts .inf files to .audit files to use with Nessus.  (By the way, as I understand it, i2a only works with the professional version.  Audit files work with both the professional and free versions.)  If you look in the Windows 7 STIG, the templates folder contains .inf files. 

I copied the .inf file to the directory containing i2a. My command to create an .audit file was:

i2a-2.0.4 U_FSO_Win7_Analyze_only_V1R4.inf Win7.audit

This ran, and there were a few errors in the log file.  I believe that Nessus can not perform some of the checks in the .inf file, so they are flagged.

Next, I opened up Nessus.  Then, I created a new Policy:  Click on Policy, Add.
I gave my scan a name, Win7, checked my options, added my credentials, checked my plugins, then clicked on preferences.  Under preferences, I picked the Windows Compliance checks.  Then, I browsed for my Win7.audit file and added it as Policy File #1.

After this, it was as simple as setting up a new scan and using the policy I just created.  I'm going to start looking at the results to see how good a job Nessus does, and what needs to still be looked at manually.

Microsoft Active Directory STIG version 2, release 1 released

I received notification that an updated has been released for the Mircosoft Active Directory STIG has been released.  However, in looking at DISA's site, I still see a March 25th date.  I'll update this post when I find the current updates.

Draft Microsoft Office 2010 STIG version 1, Release 1 has been released

I was cruising DISA's site looking for other guidance when I saw that a draft version of the Microsoft Office 2010 STIG has been released; version 1, release 1. 

I notice in the overview document that the guide is based on Office 2010 installations within the Windows 7 operating system.

The comment matrix has also been posted for any comments to be made on the documents.