I spent much of the time re-organizing the code to support more functionality.

Below is the list of the new functionalities:

- Support Threads; by default it run 5 threads i.e 5 connection at one time

- SSL Support

- Proxy Support

- Timeout

- Integrity Check

- Verbose

Webarmy can be downloaded from: https://sourceforge.net/projects/webarmy/

Attached is the screen shot of the ‘new’ Webarmy. As usual, any feedback or suggestion is welcome.

WebArmy

Webarmy Sample Report

Essentially, it is a product that can be deployed either in a host or network to prevent sensitive data being sent outside organisation.

When I was at school, I spent a year doing research in anomalous payload based network intrustion detection but the principal is the same as the Data leakeage prevention system. After all, NIDS inspect inflow traffic to the organisation, where DLP agents inspect outflow traffic to the outside organisation. Both are quite similar.

Being anomalous (smart agent), it detects intrustion if the attack pattern deviates from the normal behaviour. As a result, tuning the IDS system is to the right setting is still a challenge. After all, we don’t want to spend much time in monitoring false alerts generated by the IDS. The same as DLP Agents, if would find there will be a lot of false alerts generated by the DLP.

Another issue with the Anomalous payload based NIDS is the NIDS only works if the data is sent in a clear text. If the data is encrypted, the agent would not able to inspect the traffic. Similarly with the DLP Agent, for the DLP agent to work it assumes that the data sent is not encrypted, hence it only effectively works against unintentionally leakage, it wouldn’t work if someone ’smart’ intentially send the data outside the organisation becuase he/she would encrypt the data first before being sent outside by either email or USB.

I still believe that DLP product is a long way to mature, at least for now. I believe that an organisation should consider broader strategy in their Data Leakage Programme, at least at a minimum the organisation should consider the following:

- Grant ‘outbound’ email access to the need to have basis. Yes, not all employees in your organisation should have access to send email outside.

- Disable USB port.

- Deploy Hard Drive Encryption for mobile computing.

http://en.wikipedia.org/wiki/Cover_your_ass

According to the wiki;

CYA describes professional or organizational practices that serve to protect oneself from legal and administrative penalties, criticism, or other punitive measures. The Polite explanation of the abbreviation is “consider yourself accountable”

As a risk professional, I am seeing a lot of CYA in risk & compliance space.

So what is the motive behind CYA in Risk/Compliance space?

Simple; Risk is very subjective and Compliance are not exact science, most guidelines are open to interpretation. More over when an incident happens, every attention turns to risk & compliance officers.

Impact to the organization?

The risk professional who excessively doing CYA activities will become a risk averse person and tends to introduce controls that are not effective; both in terms of cost and to mitigate the risk.

So how to improve the situation? (my personal recommendation)

- Be clear & transparent in terms of what are you covering (obviously you are not covering all risks!) and most importantly what you are not going to cover as part of your risk assessment or duties. Risks especially Operational Risk are still a new subject to not only risk professionals but to other professionals working in the company.

- Formalize your own risk assessment (Keep your self out of trouble). Most people don’t realize that when they provide assurance either by providing positive/negative assurance to the business units, they are putting him/herself  at risk. Remember that opinion = liability and opinion is very expensive.  If the engagement is an agreed upon procedure/issue & recommendation, be clear to your stakeholder that you don’t provide any sort of assurance.

- Educate your stakeholder that there is no such thing called ‘absolute assurance’. Most of the risk/compliance professionals would know this but don’t assume that your stakeholders know it! Incident does happen from time to time but it doesn’t mean we need to put additional/extra controls.

and Most importantly be practical with your recommendation! completing a regulatory compliance checklist, identifying gaps are easy but to advise customer/clients with a solution that are practical while addressing the risk is still a challenge.

Let me know your thought!

In summary, people who earn more than 99.9K because:

* Their daily actions are based on strategic thinking and vision. Not short term gratification and the “I want it NOW!” syndrome.
* They have a long term plan.
* They have discipline, patience, and persistence.
* They are driven by what they love to do.
* They don’t see the world as “What about me?”. But as “What can I do to make a difference?”
* They are pro-active people. Not reactive.
* They know that its not just about what you know; its what you do with what you know. “Who you know” comes after this.
* They don’t blame anyone or anything. ie: Its the Govt’s fault. Its my boss’s fault. If my boy/girlfriend/partner could be more, etc.
* They know they are responsible for their own lives and happiness.
* They know how to interact with people. (Listen, understand, and then talk).
* They know where to look and who to contact to solve a problem.
* They know relationships (business, personal, etc) is all based on trust.
* They know trivial and nonsensical gossip is deterimetal to business. So they don’t partake in talking about people behind their backs.
* They know attention to detail matters.
* They know that doing more than what you’re paid for, offers rewards in the long run. (Higher probability of raise or promotion if you can offer undeniable justification of the value you bring to an organisation…Also less likely to be “let go” in times of cutbacks and recession).
* They know not to let their emotions run wild. (That’s a sign of immaturity and unprofessionalism). They know how to channel that appropriately.
* They know a failure is a lesson to be learnt.
* They know not to bark at those under them (who have screwed up), but to ensure they’ve learned something from the experience, by walking it through with them.
* They don’t waste time or effort on things that don’t really matter to their long term vision.
* They know to make their own luck, and not let “fate” decide for them.
* While everyone is attacking the symptoms of problems, they go after the root cause.
* When they learn something, they actually learn it. Its not merely a checkbox to tick or a resume filler.
* They don’t stop learning.

Second biggest threat with IP Phone/VoIP is eavesdropping attack. Not many organisations that use VoIP deploy Secure RTP. They leave their VoIP network unprotected. Segregating the internal corporate network with VoIP does not add real protection.

These technical threats are no doubt true and real. However, the weakest link in my opinion is many people are still under the impression that unencrypted VoIP is more secure than unencrypted Emails. If you think your VoIP or IP Phone secure, think again!

In this post, I will explain how to develop your own Web Application Scanner. I promise not more than 10 lines of codes.

A typical web application scanner usually comes with three main parts:

1. Input: Input parser e.g from Burp proxy logs or a Web crawler that automatically crawls the web sites.

2. Engine: This module basically fuzz any input parameters in the site and detect any vulnerabilities.

3. Reporting: Display all the vulnerabilities in the nice format.

Because this is a Part 1, I will just focus on module 2 which is the engine and use python scripting language as an example. Why use Python? Because it’s easy and I can code less than 10 lines.

Python

——————————————————————————–

import urlib, httplib #import the relevant library

# Store all the POST Parameters in qsParams variable

qsParams = urllib.urlencode([('para','exmpl1'),(para2','exmpl2')]

conn = httplib.HTTPConnection(‘www.test.com’)

headers = {“Cookie”: ’sessionID=123456′}

# send the Post Request

conn.request =(“POST”, ‘/index.asp’, qsParams, headers)

f = conn.getresponse() # Get the HTTP Response

—————————————————————————-

Once you get the HTTP response, you can use the response to detect any vulnerabilities. For example, if you are aiming to detect SQL injection vulnerabilities, you may use regular expression to detect any string in the HTTP response to match the ‘SQL’ word.

Woe is I

With English it is very easy to get confused. A lot of people including native English speakers if they were asked ‘Who told you that? will answer ‘It is me’ rather than ‘It is I’. At least I learn new things today!

‘