Sponsored Links

Wake Up And Help Burn Away The Stupid PDF Print E-mail
Friday, 14 May 2010 09:52

The biggest failure in information security is actually a failure in information technology implementation.

For many, many decades the operating systems and applications that have been made for computers have come with built-in security features. The very idea of a username and password to log into a computer pre-dates home computers by at least a decade, with Multics back in 1964. And it wasn't the first.

But what has happened over this time is the old "arms race" where the so-called bad guy finds a way around the restrictions put in place, so newer and more elaborate restrictions are put-up. More elaborate and complex security systems require more time to set-up, more knowledge to implement and a generally higher degree of intelligence.

In the business world, there is little tolerance or interest in the needs of Information Technology, but an excruitiatingly large demand. Most IT departments run on very tight budgets with minimal personel, the majority of funding going to hardware and obscenely expensive software licensing. If you don't offer very high pay and very good benefits, you can't really attract the very best IT employees.

So for the last 23 years or so, the information technology field has turned to 3rd party solutions for complex security. "Solutions" include antivirus, antispyware, Intrusion Prevention Systems, Firewalls, anti-spam, web filters and more. There are host-based and network-based versions of all of these, plus other variations and specialized implementations. There is deep-packet inspection, source-code analysis, vulnerability assessment, penetration testing, and on and on and on.

The end result? In a typical production environment of a Fortune 500 company, you have dozens, hundreds or even thousands of computer systems that essentially run with a default, base Operating System install and all the 3rd party security tools bolted on as an after-thought. No patching is done at all, or only the absolute minimum needed to keep the systems running. Many unused services are left installed and running. Local security policies are never configured, or only a few token changes are made. Services like HTTP, SMTP, FTP, IMAP, POP and the like also run with default configurations.

 

Wha... Wha.--WAHT TH# FUKC?>!!

 

These systems are INCREDIBLLY VULNERABLE AND EASY TO HACK! They can be broken into remotely or locally. We're talking $150,000 premimum servers that can be turned into digital scrap with the equivalent of a toothpick. They are the electronic equivalent of a frail person with no immune system, kept alive by a thin plastic bubble. That bubble? The 3rd party security software that has been installed on the server and the network. And that very expensive, five million dollars worth of security solutions? Very likely has also been thrown in place with default settings, providing only half-assed protection.

This all happens because IT departments are overworked and full of lazy, ignorant people. Not every IT staffer is an idiot slob. But there are enough overworked, stressed IT workers mixed with enough faux-IT employees to result in the mess that the world find itselves in today: A billion computers in shitty health.

It's time to wake up and shake the cobwebs out of our heads. We can build computers configured properly that they are not immediately vulnerable to every single exploit that is published. We do not have to rely on a dozen layers of expensive, 3rd-party security software to protect outselves! I'm not suggesting we do away entirely with firewalls and other measures. But we can make our servers, workstations and websites many times more secure than they are without anything more than additional man hours. Which in the end, is probably cheaper than overpriced security software.

Computer security follows the biological threat model. A healthy computer system is hard to infect or exploit. Not impossible. Just hard. Hard enough that the infection/exploit vector (be it automated script or malicious hacker) will just go and find something easier to attack in most cases. Even when a healthy computer system is violated, it will be easier to recover from the attack.

What makes a healthy, secure computer system? Here's a short list to start with:

  1. Install all operating system patches that are applicable, not just the ones that are "approved".
  2. Absolutely no unnecessary software installed. If you don't need it, yank it!
  3. If you can't uninstall something you don't need, turn it off, delete it, restrict access to it in some other way.
  4. Turn off the services you don't need (which you should uninstall if you really don't need them!)
  5. Configure a local security policy to at least enforce password security and enable auditing of security events.
  6. For any of the services you DO use, including 3rd-party software, make sure to enable the security features included such as authentication, encryption, access restrictions, etc.
  7. Update your 3rd party software as well as the operating system. That means patch that crappy Java engine and that piece-of-shit Adobe Reader!
  8. Backups. If your critical system isn't being backed-up every single day, you are putting a gun to your head and asking people to pull the trigger. I am not joking. Lack of backups is literal suicide, people!
  9. Monitor your systems! Monitor the hardware sensors, the disk capacity, the network usage, the CPU load, everything you can get your hands on.
  10. All of the logging on your servers should go to a central syslog server as well as locally. If your server becomes a burning, molten hole in the ground you still have logs of what the fuck happened.
  11. Test your systems! Make sure that all the redundant hardware actually works, that backups are restorable, that patches installed are active (schedule reboots on a weekly basis), and any other behind the scenes scheduled jobs actually run to completion.

Does that look like a long list to you? Am I hearing some of you whine that it's too much work? TOUGH SHIT! IT ISN'T FOR WIMPS, DAMN IT! Suck it up and earn your paycheck, kids!

Only after you've got a healthy, secure computing system should you than look at installing any 3rd party quackery like antivirus, IPS and the like. And you know what? Keep that crap off the servers. Just used network-based implementations. That way when those idiots in networking screw-up, it doesn't reflect badly on you.
 
WebApp Throwdown! PDF Print E-mail
Tuesday, 12 January 2010 21:33

WebApp Scanning Throwdown!

Starring: Nexpose Enterprise, Nessus 4.2 Professional Feed and Core Impact v10

The Victim: http://demo.testfire.net/ (Sorry IBM... not!)

Revised: 1/19/2010

Important Follow-up!

I have to apologize for errors in my original article. I missed a few findings in some of the reports, and mis-read a few items. Just to make this absolutely clear, errors in analysis of the results are my own fault, not a reflection of the products. And as stated, the configurations used were not ideal.

Please visit the downloads section for a spreadsheet providing the vulnerabilities in a matrix format and which tools identified them. Ultimately, there's not a lot of difference though Nexpose did manage to get a couple that Nessus missed. All three tools missed quite a few more subtle vulnerabilities in the test site, however.

 I feel the most important conclusions that can be drawn from this comparison are:

  1. You can't rely on one tool to find all your issues
  2. You need to make sure your tools are properly configured for maximum results
  3. No tool will find everything, but it will be a good indicator you may need to take something apart to look at it more closely

The Setup

I used three different computers, one for each scanning product. These were identical NC6715b HP laptop computers, AMD 64-bit processors with 4GB of RAM. Core Impact ran under Windows XP Pro with SP3, while Nexpose and Nessus ran under RedHat Enterprise Linux 5.4.

I chose the fake banking website Altoro Mutual as the target for this throwdown due to its independence from the three products being used, and of course we did not want to attack any real targets.

For Nexpose, I used the built-in Web Audit scanning template, and merely configured a site with the target host. In Core Impact, I simply used the Rapid Penetration Testing scan and attacks under the Web assessment section. For Nessus, I had to create my own scanning policy by enabling just those plugins related to WebApp scanning. I used this Nessus Document and this discussion on Tenable Security's website as a source to determine what plugins to enable.

Core Impact is proxy-aware and had no problem performing its attacks through an internal proxy to the Internet. In contrast, both Nexpose and Nessus are proxy-ignorant and had to be directly connected to the evil, festering Internet in order to perform their scans.

The Results

All three scanners correctly identified the SQL injection vulnerability in the "login.aspx" URL of the demo.testfire.net website. Additionally, all three were able to find Cross-Site Scripting (XSS) vulnerabilities in "login.aspx", "search.aspx" and "comment.aspx".

However, Core Impact did not identify any other WebApp vulnerabilities in the target. Both Nessus and Nexpose found additional issues, such as browsable directories, lack of encryption, and weak authentication.

Nexpose flagged the "/bank/" directory as browsable. Nessus found the same directory, but didn't explicitly list it as browsable. Nessus found additional directories ("/Admin/", "/admin/" and "/images") but they are not browsable.

Nessus provided the most results, with additional finds that Nexpose and Core Impact didn't catch, including:

  • A possible SQL injection vulnerability in "customize.aspx"
  • The website uses plain text authentication (i.e. no HTTPS)
  • Auto-Complete is not disabled on the login form (a feature that tells browsers to not allow the end-user to store their password in their browser for later user)

The Upshot

First off, let's be clear that Core Impact is a penetration testing tool, not a vulnerability assessment tool. It only checks for vulns that it could potentially exploit to install agents. There are many potential vulnerabilities it will not flag (such as unencrypted webpages) which are still quite significant for web application security. Anyone who is using Core Impact for vulnerability assessments has failed to read the documentation. Core Impact is a great tool used in conjunction with actual vulnerability scanners

Both Nessus and Nexpose worked great, but Nessus had to be configured to do WebApp scanning. It is possible the configurations used in this Throwdown were not optimal. In the end, both Nessus and Nexpose caught the most serious problems (SQL Injection and XSS). And both scanners have a "free" version available. It's tough to call a real winner here. We may have to perform a tie-braker!

You may download the reports generated from this Throwdown, as well as the session files for Nessus and Core Impact.

 
 
DeepMac database update PDF Print E-mail
Wednesday, 02 December 2009 14:33

The DeepMac database has been updated with the most recent date information as of December 2nd, 2009. I also updated the MySQL dump of the database.

I haven't had time to add further fingerprints to DeepMac, nor expand on tools for searching and updating. But please do not hesitate to submit ideas, suggestions or comments!

(Also, I like cookies)

 
 
The Puppetmasters New Clothes PDF Print E-mail
Thursday, 07 January 2010 13:20

In the Science Fiction novel "The Puppet Masters" by Robert A. Heinlein, alien creatures with the ability to connect to humans nervous systems invade the Earth. This novel was made into a terrible, horrible movie so if you have seen the movie but not read the book, please go read the book. And burn any copies of the movie you can get to.

But back to the book. It's a pretty typical "alien possession" novel by current standards, but it was actually a significant publication in 1951. The aliens themselves are relatively small things with limited mobility (they are dubbed slugs), but can attach themselves to a victims neck and hang down the back. The "slug" can then control the human and tap into their memories, while remaining hidden under the clothing. As the novel progresses, the protagonists (Sam and Mary, who both work for a secret intelligence agency of the US) withdraw to the mountains. After being attacked by an alien slug, they return to the city to discover a law has been passed requiring full nudity.

Correct, the only way to tell if a human was possessed was to require full nudity. Heinlein established that even a naked woman carrying a purse was suspect because she kept her hand in her purse which allowed her to remain connected to the slug. Now, part of the reason Heinlein wrote this solution into his novel is because he was a big fan of nakedness (hardly any of his novels don't mention it). But also because it's the obvious, simple solution to the question "How do I know if you are really you?". The slugs were too big to not be visible and obvious when attached to a victim.

Now, the $1.69 question: Is this a reactive security measure, or a proactive one?

Thanks to Richard Reid, we now have to take our shoes off at many airports. And most likely, we'll have much more invasive body scans to look for hidden explosives (even though there's no evidence such a scan would have caught Nigerian Abdulmutallab's hidden explosives). These are reactive security measures. Why? Because even looking at a person stark naked, you cannot tell if he or she is a terrorist. "The Puppet Masters" has a specific threat that can be visually identified and is known to be hostile to humanity. So the nudity solution is actually rational, if socially awkward. No such test exists for humans that intend harm to other humans.

This does not stop the TSA and law enforcement to follow profiling methodologies, unfortunately. Many innocent citizens are taken aside because of their religious beliefs, skin color or "atitude". Timothy McVeighs', Richard Reids' and Umar Farouk Abdumutallab's lesson have not stuck: Terrorism is an action, not a kind of person, a belief system or a clothing style. Most of the security measures taken in airports and on airplanes since 9/11/2001 have been reactive, "security theatre" then actually proactively useful.

So what proactive security measures should be taken in the wake of the failed Christmas Bombing? Move security screening back to boarding gates. Improve the intelligence gathering and sharing community. Train more air marshals and put them on more flights. And most importantly, stop wasting resources on reactive measures.

 
 

Jedi Tweets