Tuesday 28 February 2012

Web application mini conference

Attended a great mini conference tonight, the joint Anglia Ruskin University & OWASP "Building security into application development" Web application mini conference at the Anglia Ruskin University, Cambridge.
The speakers where Dinis Cruz, Fabio Cerullo and Colin Watson all from OWASP.

Dinis Cruz introduced what OWASP was and what it stood for, explaining how to particpate and discussed a number of projects they are running, including some they hope will be included in Google's Summer of coding. He also introduced a project he had driven the application security O2 project framework http://www.o2-platform.com/wiki/Main_Page

Fabio Cerullo discussed Open software assurance maturity model and enterprise security API and told us about ASVA, ESAPI, OpenSAMM and Swingset, with a demo of some of the features of Swingset Interactive which is an interactive tool that help developers use ASVA and ESAPI

Colin Watson finished the evening discussing the AppSensor project which is a Web application Intrusion Detection tool allowing real-time attack detection and response.

The conference was organised by Adrian Winckles who is looking to start a East Anglia & Cambridge chapter of OWASP and a local student group based on information security.

Monday 27 February 2012

Tool Update 27th Feb 2012

Another round up of tool releases that can be useful to the Pen Tester. My aim is to do this on a weekly basis and if you are aware of any new tools or releases of existing tools you feel should be included please contact me with the details.

The comments here are my own views and I am not recommending any one product over another, if you are looking for tools I recommend trying a few, as most have free versions and picking the one that works for you. We all have our own methods of working and a pen tester’s tool bag reflects their own personality.

Hoping that the RSA conference will generate some interesting tool announcements and from the postings during the first day I won't be disappointed. Hope to cover the announcements over the next few weeks.

One of the big news items this week is that Backtrack 5 R2 is released for download via torrents on the 1st March, however it has been possible to update existing copies of Backtrack 5 R1 manually to the new release since 25th Feb see http://www.backtrack-linux.org/backtrack/upgrading-to-backtrack-5-r2/ for details on how to do so.

On a note closer to home, N-Stalker http://www.nstalker.com/ had a update that fixes a number of issues including for HTTP NTLM authentication over SSL proxies, this is a tool I use at work and we have been having problems with macro authentication on a SSL site. Full marks to the N-Stalker and their technical support team for a quick response and for the update.

One I missed is that inSSIDer was updated on Feb 10th, shame on my as it is one of my favourite wireless security tools along with most of the products from metageek http://www.metageek.net/products/inssider/
Hoping to do the next tool update on 5th March, where I will be covering some of the releases from RSAC 2012.

Categorising cyber criminals

An article by Eric Chadbrow ( http://www.bankinfosecurity.com/blogs.php?postID=1206 ) prompted me to look at the different attempts at trying to slot hackers into categories as I had discussed Raoul Chiesa's Hacker Profiling Project with University students whilst teaching on Computer Security and Forensic courses. There have been a number of attempts at trying to slot hackers into categories since Landreth's book "Out of the inner circle" in 1989. I have tabulated the main attempts I found and it is interesting to see how the view on hackers has changed since 1989.

Eric Chabrow (2012)
McAfee (2011)
Roger Grimes (2011)
Marcus Rogers (2008)
Chiesa (2006)
Landreth (1989)
Script Kiddies
Script Kiddies
Cyber criminals
Novice
Wannabe lamer
Novice
Hacking Group
Black Hat Hackers
Spammers and adware spreaders
Cyber-punks
Script-kiddie
Student
Hacktivists
White Hat Hackers
Advanced persistent threat (APT) agents
Internals
Cracker
Tourist
Black Hat Professionals
Hacktivists
Corporate spies
Coders
Ethical hacker
Crasher
Organized Criminal Gangs
State Sponsored Hackers
Hactivists
Old guard hackers
Quiet paranoid and skilled hacker (QPS)
Thief
Nation States
Corporate Spy Hackers
Cyber warriors
Professional criminals
Cyber-warrior

Automated Tool *
Cyber Terrorists
Rogue hackers
Information warriors/cyber-terrorists
Industrial spy




Government agent
Military hacker

The view of hackers has moved on from the collection of computer enthusiasts at the Massachusetts Institute of Technology in the 1960's to today's mainstream use of the term to mean a person who subverts security around a computer system, whether for non-legal (Black Hat Hacker) or legal purposes (White Hat Hacker). With Eric Chabrow's list of categories it is evident that he concentrated on illegal activities of a hacker even through in his article he says "Not all that fall into the hacker category are cyber criminals" I would propose that adding a category of White Hat Professional to cover the non-governmental ethical hacker and security researcher who test computer security with the permission and blessing of the owner of the system would provide a better Taxonomy for classification of hackers.

Thursday 23 February 2012

CPD Presentation

As part of maintaining my certifications I gave a talk on Exploits, Trojans and Rootkits to the Hertfordshire Branch of the BCS last night in Hemel Hempstead st the offices of Steria. The talk was aimed at the non security professional and as the event was open to the members of the public I tried not to assume a high technical knowledge within the audience.

The presentation's aim was to explain what the terms mentioned in the press both specialist and general sectors actually meant. Covered what is a vulnerability is and that it is not necessarily a technical problem, often the vulnerability is between the keyboard and the chair. Discussed how threats made use of vulnerabilities by exploiting them. Covered different types of attacks from network problems to social engineering via phishing, explained that a trojan is a seemingly innocent object whether a programme, game, or picture etc. and that these objects allow a malicious payload to be installed. Discussed the term backdoor and how this can be used to allow a remote command and control centre to take control and gather information from the attacker. The last point was the term rootkit and how this can hide details of the malware from the operating system.

The final part of the evening was a demonstration using virtual machines, showing how an attack can probe a machine, identify a possible vulnerability and then attack it by trying to exploit the vulnerability, in this case I used a buffer overflow on the RPC port. The exploit opened a backdoor allowing a telnet connection to the compromised machine where I created a user, elevated their privilege to allow full control of the machine, used the tftp client to download additional malware onto the compromised machine and then run a toolkit, showing the audience how folders, processes and services can be hidden a user on the compromised machine. Finished with a discussion on techniques to reduce the possibility of vulnerabilities been found and exploited.

The question and session was lively and measure that the talk was successful, a range of questions from both security practitioners and everyday computer uses where asked and occasionally had to reign in the discussions back to the topic in question. In all a good evening and a couple more CPD points earned towards the continual certification.

Will back in Hemel in June for a talk looking at the Hollywood portrayal of digital forensics and a discussion on the realities.

Wednesday 22 February 2012

Tools Updates

Been a good week for Pen testing tools with a number of major packages getting updates.

Netsparker 2.1 was released and can crawl, attack and identify vulnerabilities in all custom web applications regardless of the platform and the technology it's built on, just like an actual attacker.

THC-HYDRA 7.2 - a network login bruteforce tool was updated,  Hydra is a parallised login cracker which supports numerous protocols to attack. New modules are easy to add, beside that, it is flexible and very fast.Hydra was tested to compile on Linux, Windows/Cygwin, Solaris 11, FreeBSD 8.1 and OSX, and is made available under GPLv3 with a special OpenSSL license expansion

Tenable Network Security announced Nessus 5.0, a vulnerability and configuration assessment solution for enterprises and security professionals.

Acunetix Web Vulnerability Scanner 8 (WVS) was released and echoes years of counter-hacking experience through its new ability to lock hackers out by integrating scan results into Imperva’s Web Application Firewall, and by recognizing a new breed of vulnerabilities through new detection methods.

Metasploit 4.2 Released added 54 new exploits, 66 new auxiliary modules, 43 new post-exploitation modules, and 18 new payloads

Monday 20 February 2012

What makes an ethical hacker legal

Whilst doing my normal troll through various blogs and web sites looking for interesting information security stories I came across another story about Glenn Mangham http://nakedsecurity.sophos.com/2012/02/20/jail-facebook-ethical-hacker/ who has recently jailed for hacking Facebook.

What made this story jump out at me was the title of the story "Jail for 'ethical' hacker who bypassed Facebook security from his bedroom" rather the previous headlines about British student jailed for hacking. For those not familiar with this case Glenn Mangham had already obtained money from Yahoo for finding vulnerabilities in their systems and his defence for this offence was that he was an ethical hacker. Now my own understanding of what makes an person an ethical hacker as opposed to a criminal is that they have permission to test a system for vulnerabilities and then move on to exploiting them before they start the testing of the systems. The defence team argued that he was a white hat or ethical hacker but being luck and being paid by Yahoo rather than being prosecuted does not a person an ethical hacking. Whilst teaching students at a University on a computer security and forensics course, I often with the students discussed the terms white hat, black hat and grey hat, and made sure that they understood that any access to a computer system required permission from the legal owner; a person who had the responsibility with the organisation to give permission for access to be made, this was for vulnerability/penetration testing as well as for forensic investigation. In my view Glenn was never an ethical hacker and should not be described as such.

So the answer of what makes an ethical hacker legal is that there is an agreement between the tester and the legal owner of the system being tested that gives permission for the testing to be carried out.

In one aspect Glenn was luck that no one in America decided to try and extradite him to the USA to stand trial, where he would of been sentenced to more than 8 months in jail.

Saturday 18 February 2012

Presentation To College Students

As part of keeping my certifications current I undertake CPD and as part of this I will be talking to students from Bedford college in early March about computer security. I am pleased, as this would be the second year of doing this and it is always great to be invited back and asked to repeat a presentation. It is great to talk to the students at the foundation degree and BTEC level to give them understanding of what is required to become a professional in the Information Security field and to talk about how the basics they are learning do apply to the real world. The session runs for about 3 hours and includes demos to break up my talking at them, they also get a coffee break, The question and answer sessions always shows how some students can come up with great questions along side the predictable questions.

Friday 17 February 2012

Evaluation of Nessus Version 5

Evaluating Nessus v5 by comparing it against the previous version in a head to head against a test web application, used the badstore.net vulnerable web application as the target for the comparison.

There is an improvement in the GUI and the way the results displayed in version 5 additional it has 5 categories of issues compared to the 3 categories in v4, there is now a critical, high, medium, low and info. Using Nessus version 4 I detected 81 issues across its 3 categories against the test application, with Nessus version 5 it detected 90 issues across its 5 categories.

Summary

A quick analysis shows version 5 better categorised the detected issues, this is helped by the 2 addition categories, in timing performance it seemed slightly slow than version 4, although I need to do the time tests under better test conditions.
In general version 5 seems to be an improvement and the client GUI is a definite improvement along with the additional categories. One point is that to get the best of the new client GUI in version when reviewing the issues, a large wide screen monitor is desirable.

I will post additional results if I get the time.

Screen shot of Nessus v4

Screen shot of Nessus v5

New blog site

Well, here it is a blog site to go along side my twitter account, what will I be posting on this blog? well it be a similiar content to my twitter a lot of infosec related posts and the occasional personal content. However don't expect this to be be kept up to date with an entry every day.
Follow me on twitter @GeraintW