Articles

Why haven’t user interfaces for security products taken advantage of human movement technologies? Minority Report was released in 2002 — that’s 10 years ago for those of you counting at home. Even with the invention of Nintendo’s Wii controller in 2006 and Microsoft’s Xbox Kinect controller in 2010 (not to mention the subsequent release of Microsoft’s Kinect SDK), a commercial Minority Report-like interface has yet to be commercially released.

Check out my post at the Dark Reading Security Monitoring Tech Center.

{ Comments on this entry are closed }

Recently, a project manager I work with asked me if I had manually validated a set of security flaws I uncovered during a web security assessment. The flaws in question were related to the server host and not the actual Web application. I actually had not manually validated every single finding in that regard. I paused to think about it and understood why he asked. The scope of the assessment stated we’d use automated tools and perform manual analysis of the hosts and applications we were testing. During discussions with the client it became clear to him that I had not manually validated every single flaw – hence his question.

Let me explain why I didn’t validate everything. When you’re testing IP-based hosts, you often don’t need to manually validate every single finding – only occasionally. However, with Web applications, you need to validate just about everything to ensure you’re not documenting problems and solutions for issues that don’t even exist. I told the project manager that for an SSL certification flaw I uncovered, the scanner is providing the same information I’d be able to get via any other means. Ditto with a flaw that uncovered an outdated version of the server’s operating system.

Another flaw was regarding the internal IP address being exposed on the server. The project manager was specifically interested in that finding. I told him that the internal IP address uncovered was right before us in the scanner results. Although there may be some circumstances that warrant it, I’ve never found a need to manually validate this specific vulnerability. In fact, this one could be next to impossible unless you’re on the internal network, but that’s a different discussion. Either way, if the scanner finds an internal IP address, it finds an internal IP address. There’s no other explanation for how a scanner could come up with a random internal IP address that happens to match an internal IP addressing scheme (that I happened to know of) otherwise.

Be it a web vulnerability scanner or advanced penetration testing tools you use manually, you need reliable means to ferret out such information, especially if it’s to be reliable and accurate. But in most cases, based on my experience, you’re not going to have to double-check every single finding of a server host in this regard.

Keep in mind that not every flaw is the same. Some require true validation and some won’t even be found using automated tools. Testing for security vulnerabilities is as much of an art as it is a science and experience using the tools, knowing what to expect from them, deciphering their results and knowing what else to look for is critical. That still doesn’t mean we’ll find it all…there’s no way to guarantee that. As with radiologists and home inspectors, there are just too many variables and unknowns involved.

Regardless, Web application or IP-based host, if I, based on my knowledge and experience, believe something needs further manual analysis then I’ll do it. If not, I’ll leave it be and document it as such. Once you’re comfortable doing so, I recommend you do the same.

Interestingly, it ended up being that the client’s questions weren’t about whether or not I actually validated each and every finding, but rather whether or not the hosts I listed in the report were indeed affected. There’s a difference. Make sure you keep all of this in mind and everyone is on the same page as you move forward with your security testing. Proper scoping and advance planning are half the battle.

{ Comments on this entry are closed }

I recently participated in a webinar aimed at helping physical security professionals, corporate security managers and others responsible for both physical and logical security. This is an area of security that doesn’t get near the attention it deserves – especially when it comes to the Web security component.

Look at any given physical security-related video or access control system and the technology is amazing. From high-definition to DVR storage to remote access, you can literally control your physical security systems from a simple Web browser or even a mobile app. The problem is these systems are getting lost in the information systems complexity present in the average enterprise. But they’re no different than any other Web-based system – the potential for Web related vulnerabilities is endless. All it takes is a rogue insider or, in certain cases, an external attacker to compromise the essence of your organization’s physical security.

There’s a bit of irony in it all.

When performing my information security assessments, any given video management or access control system is chock full of Web flaws such as cross-site scripting, cross-site request forgery and so on. There are also more general flaws such as default passwords, no SSL, no audit logging or alerts enabled – no nothing related to application security. To top it all off, these systems are rarely, if ever, patched. Typically a systems integrator installs the physical security systems with zero security in mind and the systems stay that way with no one monitoring them, no one maintaining them…there’s no accountability.

Anyone with ill intent has free reign to watch (and control) internal video cameras, cover their tracks by deleting logs and actual video files, setup backdoor accounts and so on – all the things that bad guys do.

Indeed, we have a long road ahead of us in securing physical security-related video and access control systems. I strongly believe that unless and until these systems are included in the scope of Web security testing, businesses, government agencies and everyone in between will continue to have these critical security flaws flying under the radar.

Like with any other computer system, if it has a URL or an IP address, it’s fair game for attack. Give these systems the attention they deserve.

{ Comments on this entry are closed }

Text messages have largely replaced seasonal (and non) greeting cards, and there are mobile apps out there that let you send prewritten witty/sweet messages to friends and family. But there are also some that pretend to do that, and F-Secure researchers have recently spotted a Trojan targeting Chinese Android users that masquerades as just that [...]

{ Comments on this entry are closed }

Passwords for document files are commonly used to prevent unauthorized access to the files by encrypting them with passwords. However, attackers are misusing the password feature to encrypt files, most likely to make it difficult for security products to detect them as malware,” say the researchers. “It also makes reverse-engineering the files difficult because they [...]

{ Comments on this entry are closed }

Just a day after security researcher Stefan Viehbock released details of a vulnerability in the WiFi Protected Setup (WPS) standard that enables attackers to recover the router PIN, a security firm has published an open-source tool capable of exploiting the vulnerability. The tool, known as Reaver, has the ability to find the WPS PIN on [...]

{ Comments on this entry are closed }

I’ve had several questions from clients recently on how they can to secure FTP running on their web servers. The easy and short-sighted response would be “Are you nuts? You need to run FTP on a dedicated server!” However, looking at it from a business perspective considering things like money, politics, business process and third-party system architectures – it’s not that simple of a fix.

Best practice or not, FTP is often running on web servers and it’s certainly something worth poking and prodding for additional security flaws. I often see outdated FTP software and anonymous access enabled to the outside – both of which can be exploited for ill-gotten gains potentially exposing the entire web server to web hacking and public exposure. The biggest risk to me, though, is weak FTP passwords waiting to be uncovered by dictionary or brute-force password authentication attacks. This is an attack that can go unnoticed indefinitely and put critical business information at risk – especially if intruder lockout is not enabled which is usually the case.

Many of my clients use third-party managed firewalls and intrusion detection and are typically alerted to such attacks against FTP. Yet still, any login hacking attempt can make you nervous especially knowing that manual cracking is likely to fly under the radar of these controls. So the question becomes, is there anything you can do to be more proactive and prevent FTP password-cracking attempts from occurring in the first place?

The ultimate control is to remove FTP from public access but that’s often not a reasonable option. Managed firewall and IPS is another great option. Ditto with any in-house firewall/IPS you may have. Changing the default FTP ports can help prevent automated attacks. This will provide minimal value and may end up being more trouble than it’s worth but it’s an option nonetheless. Otherwise, the best you can do is ensure that complex passwords are in place and enforced and intruder lockout is enabled on the FTP server.

All of this starts with knowing how your Web/FTP servers are currently at risk. Running a simple port scan of your external-facing systems can uncover FTP that you may not have known about – or have forgotten about. I recommend going a step beyond that running a good vulnerability scanner of the host itself to see what FTP-centric flaws it uncovers. In the end, you’ve got to look at your Web servers from every angle. All it takes is one seemingly benign weakness to undermine everything you’ve worked so hard to harden and protect.

{ Comments on this entry are closed }

Like chemists, carpenters and doctors, those of us working in IT need good tools if we’re expected to do a good job. When dealing with application security, good security testing tools will always set the professionals apart from the amateurs. In fact, the quality of your tools for performing a site security audit will have a direct impact on the number of vulnerabilities you discover and the overall success of your testing.

Many have argued – myself included – that you cannot rely on tools alone to find all security vulnerabilities. This is absolutely correct. In all but the most basic security checks, you have to rely on experience and technical knowledge to root out the less-than-obvious vulnerabilities that blackbox scanners simply cannot find. That said manual testing alone is just too time consuming, limited and, for many, downright difficult. A good balance of tools and manual analysis is needed.

The major issue here is that selecting ineffective security testing tools can be a costly venture. I’ve burned thousands of dollars and countless hours on tools that seemed like a good fit based on their tricked out websites and fancy marketing slicks. But talk is cheap so buyer beware. You have to take these tools for a spin to see if they’re going to be a good fit based on YOUR style inside YOUR environment, and based on YOUR business needs.

Whether you’re doing the actual work or just want to make sure your IT and security staff members are using what’s best for the organization, the simple truth is that good security audit tools can and will make a difference. Always remember that there is no one best tool but if you’re smart about your approach you shouldn’t have to spend a lot of money to get the job done right. If you invest a relatively small amount time researching, asking prospective vendors tough questions and actually trying the tools before you buy them, then you can’t lose.

When you choose and use good tools, you’ll know it. Amazingly, you’ll minimize your time and effort installing them, running your tests, reporting your results – everything from start to finish. Most importantly, with a good web vulnerability scanner you’ll be able to maximize the number of legitimate vulnerabilities discovered to help reduce the risks associated with your information systems. At the end of the day and over the long haul, this will add up to considerable business value you can’t afford to overlook.

{ Comments on this entry are closed }