Archive for the ‘Security’ Category

Webarmy: Web Application Scanner

Saturday, February 20th, 2010

Last Friday was my last day with my ‘now’ ex employer and I’ve got 7 days break in between my previous and new job. Apart from Sport; Dragon Boating and Swimming, I did have some good spare time. I just thought made this good spare time to update my Web application scanner; WebArmy.

I spent much of the time re-organizing the code to support more functionality.

Below is the list of the new functionalities:

- Support Threads; by default it run 5 threads i.e 5 connection at one time

- SSL Support

- Proxy Support

- Timeout

- Integrity Check

- Verbose

Webarmy can be downloaded from: https://sourceforge.net/projects/webarmy/

Attached is the screen shot of the ‘new’ Webarmy. As usual, any feedback or suggestion is welcome.

WebArmy

Webarmy Sample Report

Tags: , ,
Posted in Security | No Comments »

Data Leak Prevention (DLP) agents

Saturday, January 30th, 2010

In the last few years, more and more often I hear this buzz word. So what is DLP? DLP stands for Data Loss Prevention. Various vendors also refer it as Information Leak Protection or  Content Monitor and Filtering (CMF) agent.

Essentially, it is a product that can be deployed either in a host or network to prevent sensitive data being sent outside organisation.

When I was at school, I spent a year doing research in anomalous payload based network intrustion detection but the principal is the same as the Data leakeage prevention system. After all, NIDS inspect inflow traffic to the organisation, where DLP agents inspect outflow traffic to the outside organisation. Both are quite similar.

Being anomalous (smart agent), it detects intrustion if the attack pattern deviates from the normal behaviour. As a result, tuning the IDS system is to the right setting is still a challenge. After all, we don’t want to spend much time in monitoring false alerts generated by the IDS. The same as DLP Agents, if would find there will be a lot of false alerts generated by the DLP.

Another issue with the Anomalous payload based NIDS is the NIDS only works if the data is sent in a clear text. If the data is encrypted, the agent would not able to inspect the traffic. Similarly with the DLP Agent, for the DLP agent to work it assumes that the data sent is not encrypted, hence it only effectively works against unintentionally leakage, it wouldn’t work if someone ’smart’ intentially send the data outside the organisation becuase he/she would encrypt the data first before being sent outside by either email or USB.

I still believe that DLP product is a long way to mature, at least for now. I believe that an organisation should consider broader strategy in their Data Leakage Programme, at least at a minimum the organisation should consider the following:

- Grant ‘outbound’ email access to the need to have basis. Yes, not all employees in your organisation should have access to send email outside.

- Disable USB port.

- Deploy Hard Drive Encryption for mobile computing.

Tags: , , , ,
Posted in Security | 1 Comment »

Cover Your Ass (CYA) Security/Risk/Compliance

Monday, January 4th, 2010

What exactly CYA is?
CYA stands for ‘Cover Your Ass’.

http://en.wikipedia.org/wiki/Cover_your_ass

According to the wiki;

CYA describes professional or organizational practices that serve to protect oneself from legal and administrative penalties, criticism, or other punitive measures. The Polite explanation of the abbreviation is “consider yourself accountable”

As a risk professional, I am seeing a lot of CYA in risk & compliance space.

So what is the motive behind CYA in Risk/Compliance space?

Simple; Risk is very subjective and Compliance are not exact science, most guidelines are open to interpretation. More over when an incident happens, every attention turns to risk & compliance officers.

Impact to the organization?

The risk professional who excessively doing CYA activities will become a risk averse person and tends to introduce controls that are not effective; both in terms of cost and to mitigate the risk.

So how to improve the situation? (my personal recommendation)

- Be clear & transparent in terms of what are you covering (obviously you are not covering all risks!) and most importantly what you are not going to cover as part of your risk assessment or duties. Risks especially Operational Risk are still a new subject to not only risk professionals but to other professionals working in the company.

- Formalize your own risk assessment (Keep your self out of trouble). Most people don’t realize that when they provide assurance either by providing positive/negative assurance to the business units, they are putting him/herself  at risk. Remember that opinion = liability and opinion is very expensive.  If the engagement is an agreed upon procedure/issue & recommendation, be clear to your stakeholder that you don’t provide any sort of assurance.

- Educate your stakeholder that there is no such thing called ‘absolute assurance’. Most of the risk/compliance professionals would know this but don’t assume that your stakeholders know it! Incident does happen from time to time but it doesn’t mean we need to put additional/extra controls.

and Most importantly be practical with your recommendation! completing a regulatory compliance checklist, identifying gaps are easy but to advise customer/clients with a solution that are practical while addressing the risk is still a challenge.

Let me know your thought!

Tags: , , ,
Posted in Security | No Comments »

Biggest security threat with IP Phone/VoIP

Thursday, July 23rd, 2009

Some say the biggest security threat of using IP Phone/VoIP is Denial of Service attack, the fact that TCP/UDP traffic flooding could easily cause service disruption to the phone services is no doubt true and real because VoIP reliability requirements is very demanding.

Second biggest threat with IP Phone/VoIP is eavesdropping attack. Not many organisations that use VoIP deploy Secure RTP. They leave their VoIP network unprotected. Segregating the internal corporate network with VoIP does not add real protection.

These technical threats are no doubt true and real. However, the weakest link in my opinion is many people are still under the impression that unencrypted VoIP is more secure than unencrypted Emails. If you think your VoIP or IP Phone secure, think again!

Tags: ,
Posted in Security | No Comments »

Part 1: Building your own Web Application Scanner

Thursday, April 23rd, 2009

I find it amusing if someone claims to be a penetration tester but he/she can’t code or write a script and relies heavily on the open source or commercial tools.  Don’t get me wrong, it is fine to use freely available or commercial tools to perform what I would say ’standard operating procedures’ but there are lot of instances where you need to use your own creativity and this is one of the examples that your own tool will come handy to assist you.

In this post, I will explain how to develop your own Web Application Scanner. I promise not more than 10 lines of codes.

A typical web application scanner usually comes with three main parts:

1. Input: Input parser e.g from Burp proxy logs or a Web crawler that automatically crawls the web sites.

2. Engine: This module basically fuzz any input parameters in the site and detect any vulnerabilities.

3. Reporting: Display all the vulnerabilities in the nice format.

Because this is a Part 1, I will just focus on module 2 which is the engine and use python scripting language as an example. Why use Python? Because it’s easy and I can code less than 10 lines.

Python

——————————————————————————–

import urlib, httplib #import the relevant library

# Store all the POST Parameters in qsParams variable

qsParams = urllib.urlencode([('para','exmpl1'),(para2','exmpl2')]

conn = httplib.HTTPConnection(‘www.test.com’)

headers = {“Cookie”: ’sessionID=123456′}

# send the Post Request

conn.request =(“POST”, ‘/index.asp’, qsParams, headers)

f = conn.getresponse() # Get the HTTP Response

—————————————————————————-

Once you get the HTTP response, you can use the response to detect any vulnerabilities. For example, if you are aiming to detect SQL injection vulnerabilities, you may use regular expression to detect any string in the HTTP response to match the ‘SQL’ word.

Tags: , ,
Posted in Security | 2 Comments »