If you run your blog on  WordPress 2.5.1 or higher , you might be interested in a new security plugin called WordPress Exploit Scanner . I find it very easy to use an also very useful because it has already detected a malicious comment on my blog which was already tagged as spam by Akismet ;  - lucky for me I guess .

From it’s creators:

This WordPress plugin searches the files on your site for a few known strings sometimes used by hackers, and lists them with code fragments taken from the files. It also makes a few checks of the database, looking at the active_plugins blog option, the comments table, and the posts table.

So go and get your WordPress Exploit Scanner plugin for free !

Share This

It’s been a while since I posted on the blog and even though I want to think the opposite, there is no acceptable explanation for it .

But I’m coming back by showing the most recent "work" I’ve done in the security arena. A few days ago I gave a presentation about the latest addition to my employer’s portfolio of professional services : Anti-phishing and brand identity.

Apparently Pareto principle applies to anti-phishing and brand identity protection as well: 80% of the tasks take 20% of the time and the rest of 20% of the tasks are done in the remaining 80% long hours.

I’m proud to say we tackle the 20% of the tasks fast. Very fast.

So here is my presentation on "Phishing Exposed, Brands Secured". I made it the same image intensive way like my previous "E-Banking Web Application Security" presentation and I hope you like it

| View | Upload your own

Share This

This must be the new scanners post. Tenable released version 3.2.0 of their popular Nessus vulnerability scanner and eEye enters the arena of web application scanners by releasing Retina Web App Scanner.

Tenable Network Security announced the availability of the new Nessus 3.2.0. This release sure looks promising because it brings quite a few new or improved features. It’s refreshing to see a software release which is not "security-bugs-fixing" driven:

This new major release contains several improvements, including:

• IPv6 support
• Improved control of network bandwidth usage during scanning
• Granular access to control rules to limit users to specific ports and audits
• Improved WMI support
• Full support for the new .nessus file format

The new Retina Web Security Scanner is not exactly a new security tool since it’s a custom version of NT Objectives NTOSpider Web app vulnerability scanner, and is integrated with eEye’s management console, REM.

This release is just a phase of eEye’s plans concerning the Web Scanner. Web security spells big business for eEye which intends to release an appliance-based version of this new scanner, says Morey Haber, vice president of product management at eEye.

Share This

Today ArcSight announced that T-Mobile has chosen ArcSight ESM  for Security Information and Event Management (SIEM) and Imperva SecureSphere Web Application Firewall won Information Security Magazine  "strongest overall offering for application and database security" . Sweet !

1st sweet news :  I’m very happy to hear that ArcSight closed T-Mobile deal because I hope that more and more industry big players will adopt and support ArcSight’s technical innovations. I’m particularly keen to see widespread adoption of Common Event Format (CEF) promoted by Arcsight :

The Common Event Format (CEF) is an open log management standard that improves the interoperability of security-related information from different security and network devices and applications.

When CEF will become de-facto log management standard I’m sure that we will be able to aggregate and correlate events generate by any CEF compliant source.

 2nd sweet news :  I love Imperva’s SecureSphere Web Application and Database Firewall and it’s great to know that Information Security Magazine named it “the strongest overall offering for application and database security”. I still think Imperva is one of the most accurate web security controls and it’s good to see some public recognition for all the hard work!

Share This

When I started this blog, I wanted to offer free insights and reviews of various security tools which could help in mitigating various security risks. I still do, but I realized that technology is not enough. People are still the weakest link in the chain of security custody of information assets.

A few weeks ago I’ve met a UK security consultant who told me the latest cover-your-ass employee excuse for having too many beers at the local pub and losing a PDA or laptop stuffed with valuable information: My laptop was stolen from my desk!

It’s a nice story and it holds most of the time. But there is a very simple way to prevent such incidents and I’m not talking about a beer ban in pubs

I’m talking about CCTV Security Camera and Surveillance Equipment which can be easily deployed as computer hardware DVR Camera Systems or standalone DVR appliances.

Either presented as an exterior wireless camera or hidden wireless camera, a modern CCTV Security System must include highly efficient H.264 video encoding, motion detection, email notification, digital watermark and remote management.

One example of such system is the sponsor of this post, the  DiGiCam DVR 120 FPS system by 123 CCTV Security Camera Surveillance Equipment.

I have not used the system yet but if I would go for building a CCTV Security System I would definitely get in contact with 123 CCTV Security Camera Surveillance Equipment.

Share This

On May 5 2007 I wrote about OpenDNS’ initiative to offer web content filtering for the masses. At that time I thought the service will be offered for a fee, but to my complete surprise, David Uletvitch has decided to turn this project into a community effort.

Hundreds of thousands of websites have been manually tagged by volunteers and the result is given back to the public domain in the form of free web content filtering.

Deploying the system is straight forward:

1.  Use OpenDNS’ servers for DNS resolution
2.  Create a free account
3.  Add a network to the account (Yes, dynamically assigned IP addressed are supported too! )
4.  Pick the web categories you want to filter out - there are more than 30 categories!
5.  Turn on content filtering
6.  All done. Wait 3 minutes and test .

I would definitely recommend this project to anybody looking for a way to control the web access. First thing that comes into mind is keeping kids safe online. However, I’m sure that it’s hard to practice what you preach so if you use this system to protect your child, remember to "turn off" the OpenDNS resolver whenever you want to browse the web .

Nevertheless, a great tool indeed!

Share This

ScanSafe just launched Anywhere+, a very cool web security service which is intended to provide web content security for roaming users.

Well, securing the laptops used by sales or marketing staff  *outside of the company’s premises* has always been a pain in the behind and I’m afraid this will not change overnight.

However, I find ScanSafe’s approach interesting and it might just work this time… but how does it work? Is it a proxy setting? Is it a VPN connection? Is it a browser plugin? I don’t know so I had to find out. I applied for a trial account and I hope I will get to the bottom of this issue soon.

Sure, the marketing presentation looks nice:

And so does the explanatory text:

• Authenticates and directs your external client Web traffic to our scanning infrastructure. 
• Numerous datacenters are located all over the world from Sydney to San Francisco ensuring that your employees are never too far from our in-the-cloud scanning services.
• SSL-encryption of all Web traffic flowing to us improves security over public networks

So, I’m guessing that Anywhere+ alters the browser itself and no matter how you get on Internet, the web requests will be redirected to ScanSafe’s data centers where the response is checked for web malware.

This raises a few questions on the adoption of this technology:

• User’s online privacy could be questioned – Lots of authentication pages don’t use SSL
• If this technology is browser dependant (my money is on Internet Explorer), what would prevent a smart a$$ user to use a different browser such as portable apps…

I wish ScanSafe Anywhere+ best of luck because the service is much needed and it’s distributed architecture looks promising.  And guys, please don’t forget my application for a trial version

UPDATE:

I got an email from Spencer Parker, Director of Product Management at ScanSafe and here are some clarifications:

1. The software works at the protocol level, not application level. This means it works with any application that uses the HTTP or HTTPS protocols. This means if users go ahead and install another browser to bypass corporate proxy settings (which a lot do!) then the Anywhere+ driver still redirects the protocols correctly to the closest ScanSafe scanning tower.

2. We use an SSL tunnel to get all HTTP and HTTPS traffic to the scanning tower. It does this to add an extra level of security to the application (stop people sniffing your traffic at wireless hotspots etc) and for other reasons as well.

I’m still waiting for my trial account

Share This

I’ve found today 2 resources which are connected to good old Google Hacking Database :

1. Googlehacks which is  a dedicated application for Windows / Linux / Mac and allows you to easily run specialized Google queries (a.k.a googledorks). I would say that it’s a "must" inclusion in”Web Hacking for Dummies".
2. Google Hack Honeypot which is a set of PHP scripts used to detect any Google hacking attempts targeting your site. Well, it might me one of your friends using the tool described at #1 above

I find the Google Hacking Honeypot specifically interesting because I think it might be used as an IDS-like PHP class / module to identify who’s pulling some intelligence reports on your website.

Share This

A very short post :

Nikto 2 is out ! Finally I’m sure most of us have seen the funny message primisinf a new version real soon ; well, it happened and you can check the huge Changelog here.

Thanks to all the fine folks at CIRT.NET !

Share This

Today I’ve seen the smallest security appliance ever ! The YOGGIE Pico Personal Security Server runs of an USB port and provides more than a dozen security features. At first I thought it’s an USB drive full of portable applications but I was wrong. The Yoggie Pico it is a server-server with proper CPU, SDRAM, Flash, Operating System, File System and all .

No larger than a regular USB thumb drive, Yoggie Pico runs a custom Linux distribution and it packs almost all security functionality you could find in a large corporate network:

•  Adaptive Security Policy™
• Multi-Layer Security Agent™
• Layer-8 Security Engine™
• URL Categorization & Filtering
• Anti-Spam
• Anti-Phishing
• Antispyware
• Antivirus
• Transparent Email Proxies (POP3; SMTP)
• Transparent Web Proxies (HTTP; FTP)
• Intrusion Detection System / Intrusion Prevention System
• VPN Client
• Stateful Inspection Firewall

Awesome Tool // You can read about how it works or you can download the datasheet (PDF) here .

Share This

Ha! Finally there is an official method to tell apart the security minded programmers from the rest of the coder crowd. GIAC Secure Software Programmer (GSSP) Certification is a brand new SANS exam designed to test the security knowledge of developers in an effort to reduce the application security vulnerabilities.

It is an efficient example of fixing the cause of software vulnerabilities and I hope that it won’t turn into a paper certification like so many other security certs have done during the past years.

There are two tests available depending on the programming language chosen by the candidate and these are the exam blueprints:

• C Exam
• Java Exam

According to the calendar of events, the first exam sessions will be held on Dec 2 in Orlando, FL and Dec 5 in London, GB.
Good luck to all who consider talinkg this exam !

Share This

I’ve always thought that secure web applications must be built secure and no matter how many patches are released during an application’s life cycle, secure coding and secure code are the fundamental pillars of secure web. 

Defending a vulnerable web application with one Web Application Firewall should only buy you some time toactually fix the vulnerabilities. I strongly believe that virtual patching is just a buzz marketing crap word.  Always fix the code !

Just a few days after I found a static .Net  XSS code analyzer , today I’ve found a PHP XSS and SQL injection source code analyzer called Pixy.

Download and install Pixy today and please share the experience !

Share This

NEW!  Microsoft just released XSSDetect,  which is a free VisualStudio plugin designed to detect XSS vulnerabilities in managed code.

My relationship with programming has been going from bad to worse and we just decided it was time to call it quits a few years ago and that’s the reason I won’t be able to test it first hand. Nevertheless I think  we should support any effort to reduce software vulnerabiltiies and this time props go to Microsoft !

Download XSSDetect from Microsoft

Share This

Recently I took part in a training session on Imperva SecureSphere® and I must say I was impressed with the architecture, features and overall philosophy behind this product.

Here are 10 reasons I liked Imperva SecureSphere, an awesome Web Application Firewall or should I say Business Application Firewall for obvious reasons which I will present below.

Note : I am not affiliated with Imperva , and this is not a paid review .

1. Dual Approach on Web Application Security : WWW + SQL
There are several Web Application Firewalls   available on the market and apparently Imperva is the only one who approaches Application Security the right way, as a multi-tier structure. Therefore, Imperva offers IPS-like protection both on presentation layer (HTTP traffic) and data layer (SQL Traffic). 

The ability to monitor and block both HTTP and SQL traffic provides defense in depth and unmatched end-to-end user accountability (from browser to database).

2. Architecture / Extremely Flexible Deployment 
SecureSphere is offered as a hardened appliance withstanding impressive traffic values up to 2Gbps and 36,000 HTTP Transactions / sec. or 200,000 SQL Transactions / sec. 

The Architecture of a SecureSphere solution is modular and scalable:

I liked the fact that there is a Management server and “enforcement points“in the form of Web Application Firewalls and Database Security Gateways. Yes, it looks similar to a CheckPoint architecture, and there is a good reason for this .

The deployment options blew me away because I was used only to reverse proxy and transparent proxy web application firewall. Well, Imperva offers a wide range of deployment scenarios which should fit any network requirement:

• Transparent Bridge (Layer 2)
• Router/NAT (Layer 3)
• Reverse Proxy (Layer 7)
• Non-inline sniffer
• Transparent Proxy (Layer 7).

3. Positive Security Model / Dynamic Profiling
The positive security model is definitely not something new, especially in web application firewall design. But what I found to be very interesting about Imperva’s approach was the semantic breakdown of both HTTP and SQL requests. Finally HTTP requests or SQL queries can be tokenized and each token can be fed to a correlation engine. Suddenly data has a meaning and actions can be taken based on the meaning of tokens.

One of the drawbacks of the positive security model is the taming (or should I say training of the Firewall / IPS, etc. Lots of time spent on teaching a machine the difference between normal and ab-normal.

Imperva tackled this time & resource consuming action by implementing a dynamic profiling functionality. Every new application is automatically set into “Learning” mode until a certain number of requests (in the order of thousands) or days have elapsed. At that point, based on the data gathered so far, the system defines a profile of acceptable requests and locks the application in “Protection” mode. Defining what is “normal” or “acceptable” is done by a statistical correlation of all values recorded for each token, much like a Gauss bell normal distribution.

At any future point in time the application lockdown can be removed by an administrator and tokens can be modified.

4. HTTPS/SSL Inspection Passive decryption or termination
One of the common shortcomings of web application firewalls / IPS is the inability to look inside a SSL encrypted data stream without breaking the SSL connection between browser and web server.

Imperva SecureSphere acts as a transparent, passive SSL terminator and it can either store a copy of the web server’s private key or can it leverage the key management & encryption to an existing HSM unit.

5. Imperva Application Defense Center (ADC)
Whenever one buys such a complex security solution, it’s a good feeling to know that the product is actively supported and improved by a dedicated R&D team. Think of ISS (IBM) X-Force.

Imperva’s own R&D uber hacker team is called Application Defense Center (ADC) and its leader is Amichai Shulman, Imperva’s CTO.

I was told that the average time elapsed since a zero day vulnerability disclosure and a full signature release is 3 to 5 days. And we are talking multiple layer vulnerabilities: Network, Operating Systems, Protocol Anomalies (Http and Sql), Database Platforms, Web Application Platforms, etc.

6. Enterprise Ready Features
I call this set of features “Enterprise-Ready Features” because I’ve come to understand that it’s not enough for a product to be the best in its class, it has to fit in nicely within an established network and it has to be easy to manage, deploy and upgrade. Yeah, 21st century corporate bull requirements

So here they are Imperva SecureSphere’s Enterprise-Ready features

• High Availability
  • IMPVHA (Active/Active, Active/Passive) – proprietary protocol
  • Fail open interfaces (bridge mode only)
  • VRRP
  • STP and RSTP
• Alerting various monitoring and security event management systems trough  SNMP, Syslog, Email,
• Integrated graphical reporting
• Real-time dashboard.
• Pre-defined and custom correlation rules incorporate all security elements to detect complex, multi-stage attacks.

7. Data Base Security Assessment
I have been using SCUBA, Imperva’s Free Database Vulnerability Scanner for a while and it proved efficient in a few assignments. Little did I know that SecureSphere Database Security Gateway uses a 50 times larger database vulnerability scanner whenever a new database systems is included for monitoring / protection.

It just seems very logic for a Database IPS / Firewall to have inside knowledge about the configuration, patch level, roles, and data of the systems it’s supposed to defend. It all comes down to the big importance of data profiling

8. Correlation Across Layers
One important evaluation criteria for any Firewall / IPS is the way it handles false positives and false negatives. Regardless of the layer it works on (network, application); the firewall should not block any legitimate request. Tough requirement to meet, especially when one has to cover multiple OSI layers (network, transport, presentation, application)!

Imperva has developed an internal correlation engine named Correlated Attack Validation (CAV) which tracks and correlates multiple events to accurately identify and block sophisticated attacks.

This is one example of blocking an attack which uses HTTP Request Smuggling  evasion technique:

9. SQL queries AND response
Many database monitoring and audit solutions will log the SQL queries but I’m not sure how many would think of logging the SQL response as well thus leaving one open door for insider threats.

The sheer volume of data can render this logging unusable, but Imperva has managed to deploy a very simple and effective solution: it stores the audit logs (SQL request and response) as flat files and this has little to no effect on traffic inspection.

10. Universal User Tracking
Accountability and non- repudiation are two cornerstone requirements for any solid security management system but it’s been very difficult to implement them because the way most web application work:

• Phase 1: The user logs into the web application using his username / token, etc. –
• Phase 2: The user clicks on a link which translates into a series of SQL queries to be passed to the database layer.
• Phase 3: The application server initiates a database connection using a generic application user.
• Phase 4: The database executes the query and returns the data to the application server which in turn presents the data to the user.

Somewhere between phase 2 and 4, the chain of accountability has been broken and there is no direct link between an user and the SQL query run on the database.

This is where Imperva’s Universal User Tracking kicks in: it makes users accountable for their actions – even when they access data through business applications. To identify application IDs, a dedicated SecureSphere interface monitors application user sessions and correlates those sessions with specific database transactions.

Conclusions
Imperva SecureSphere represents an advanced business application security control which has taken the concept of Firewall & IPS to the application layer with great results.
Just like CheckPoint in 1993 changed  the network firewall forever, I wouldn’t wonder if 15 year later Imperva establishes itself as a reference in Activity Monitoring, Audit and Security for Business Applications and Databases.

However, take my review with a grain of salt as I didn’t test the product myself. .. Yet I plan to set-up a head to head  clash between an automatic web attack suite and an automatic web firewall . Now that’s going to be fun

Share This

Microsoft has released FastCGI which is a free server component enabling hosting of PHP applications on Windows Server 2003 and IIS 6 with increased reliability, scalability, and security.

Most of the applications built for IIS use the native multi-threaded application model. This was not the case for the applications initially written for Linux and ported on Windows such as PHP extensions. Even though the PHP engine is multi-threaded, many of the PHP extensions are not multi-threaded and this takes away the advantage of multiple concurrent request processing.

The Microsoft FastCGI Extension for IIS  provides full support for hosting and executing FastCGI enabled applications on IIS in high performance and reliable way.

Some of the important features provided in this release of FastCGI Extension are listed below:

 

• Reliable hosting of non thread-safe applications (such as PHP) in FastCGI mode by enforcing single request concurrency per FastCGI process
• Support for hosting of FastCGI application frameworks on shared servers by providing necessary configurable.
• Rich set of configuration options for tweaking performance of FastCGI extension and FastCGI processes.

The most surprising detail of FastCGI is the cost : FREE as in beer !

Download it and be gentle on Microsoft with the bug reports. After all…they are taking baby steps into free software business

Share This

I don’t know about you, but I owe a big part of my education and career to my independent study and research because not many universities were offering Bachelor / Master Degrees in Information Security back then.

Times have changed and today I came across a very interesting online cybersecurity degree offered by the Utica College : it’s a Bachelor of Science degree in Cybersecurity and it provides two concentrations :

• Cybercrime Investigations and Forensics
• Information Assurance

Security vulnerabilities and threats have changed and the age-old saying “follow the money” seems more vivid than ever. The technology behind financial operations has induced a new breed of risks which must be addressed from both Accounting and Computer Science point of view.

In order to address this risk, Utica College offers an unique set of Economic Crime Degrees which focuses on Financial Investigation in order to detect and investigate fraud and other economic crimes.

It’s good to see that the academic world  is adapting to the security threats we face nowadays and I hope that more and more students will chose the path we got to love and hate everyday . Only they won’t have to walk the same rough path thanks to new online education and training available today.

Share This

Although one may argue that a firewall does not really solve the security problems of an organization, I highly doubt anyone would design a modern network security schema without a solid firewall.

There are many open source network firewalls available on the market and this is why I was very glad to discover an open source web application firewall available for free.

Profense is the flagship product of Armorlogic, a Danish software development company created in early 2005 by Jakob Frydendal Gercke and Srebrenko Sehic, internet security specialists working as Big 4 consultants.

Apparently they founded they own company around web application security and positive security models. It paid off and Profense is already shipping its version 2.

The free version of the product is based on a stripped and hardened OpenBSD platform making it a hard to break appliance .Profense Base is packed with commercial grade features such as

Web Application Firewall

• Positive filtering
• Automatic Policy Generation
• HTTPS (SSL) Aware

Web Accelerator

• Traffic compression
• TCP connection off-loading
• Static content caching
• Dynamic content caching

Load balancer:

• HTTP / HTTPS Load balancer
• Session Persistence

I think that the kind folks at Armorlogic deserve all the community support they can get, so I invite you to download Profense Base and give it a spin!

Share This

As you know, Kerberos was originally developed at MIT as the authentication protocol for MIT’s Project Athena in 1983 and was adopted as an IETF standard in 1993. The quick release of Kerberos as an Open source tool in 1987 led to a massive adoption amongst IT vendors up to a point that there is no way back to a non Kerberos world.

This is the reason why seven large organizations have decided to form The Kerberos Consortium whose goal is to establish Kerberos as the universal authentication platform for the world’s computer networks.

The Consortium Operating Principles:

• Be a not-for-profit consortium of companies led by MIT.
• Develop authentication and authorization technologies for computer networks based on the Kerberos system.
• Meet the needs of users, operating system vendors, application vendors, and other members of the Kerberos community
• Expand, and accelerate, the implementation and standardization efforts that MIT currently undertakes.
• Provide a valuable forum by which customers and vendors can communicate their needs for the future of Kerberos
• Provide a neutral environment, interoperability and functionality issues of concern to the wider Kerberos community.

The Consortium’s members (sponsors) include big names in the industry such as Google and Stanford Univ. so it might well be One ring to rule’m all

Share This

Finjan has released it’s Web Security Trends Report - Q3/2007 (PDF) and I found it quite interesting to read.

One of the innovative research presented in the report is the security model and risk posed by the various widgets which seem to be the hottest trend in GUI design.Either built for WWW, Windows Vista or Macintosh OSX Dashboard,the widgets are everywhere and Finjan found vulnerabilities in widgets and gadgets that enable attackers to gain control of user machines.

This report also presents a detailed analysis of a very special malware : the financial data trojan which gets  activated whenever an user does internet banking or logs in a financial institution website . "Financially-focused crimeware – what happens when a trojan goes phishing" shows step by step all the Crimeware Trojan Workflow :

1. Detect login page to a financial service
2. Send the login credentials to the financial service as well as the crimeware server
3. Crimeware server response contains custom designed page to get more sensitive information (designed for the service provider)
4. Crimeware on infected PC injects the custom page into the browser (which is already connected via SSL to the financial provider)
5. Victim enters sensitive data into customized form
6. Crimeware sends customized form data to crimeware server
7. Crimeware gets the financial service response to the original login credentials and shows them on the browser.

Get a copy of this report here .

Share This

I’m reading today that InfoWorld has announced the 2007 Best of Open Source in Security Awards and as far as I can see nothing new showed up in the awards list.

There awards categories include vulnerability scanning, intrusion prevention, anti-virus, anti-spam, firewalls, VPNs, and security testing.

In security, open source rushed in because commercial vendors fell down on the job. As security problems in the enterprise outstripped the capabilities of commercial solutions, a number of talented security researchers stepped into the breach via the open source model.

As expected, the winners within each category are well established, widely used open source applications with milions of daily users. It’s really a tough job for a new OpenSource application to make it to the short list of nominees.

Without further ado, these is the Best of open source in security:

• Network Vulnerability Assessment : Nessus
• Intrusion Prevention : Snort
• Anti-Virus : ClamAv (recently  acquired by SourceFire)
• Anti-Spam : SpamAssassin
• Best Firewall : IPCop
• Best SSL VPN : OpenVPN
• Best Security Testing Resource : OSSTMM

Share This