tag:blogger.com,1999:blog-33719371425629640792024-03-13T07:33:22.121-05:00atrysk securityAtryskhttp://www.blogger.com/profile/04232363521942755104noreply@blogger.comBlogger65125tag:blogger.com,1999:blog-3371937142562964079.post-39731880857822869752009-05-06T08:19:00.001-05:002009-05-06T08:20:52.121-05:00McAfee: Enabling XSS for your site<span class="Apple-style-span" style="font-family: Arial; font-size: 14px; line-height: 21px; "><p style="margin-top: 1em; margin-right: 0px; margin-bottom: 1em; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; text-align: left; "><a href="http://www.mcafee.com/us" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; text-decoration: none; outline-style: none; outline-width: initial; outline-color: initial; color: rgb(204, 0, 0); ">McAfee</a>, widely recognized as one of the leading providers of online security software for both home and business, appears to be struggling to secure its own Web sites, which at the time of writing this post, allow anyone with enough tech savvy to covertly do whatever they want on, and with, the site.</p><p style="margin-top: 1em; margin-right: 0px; margin-bottom: 1em; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; text-align: left; ">During tests this weekend, we discovered the company who claims to "keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams," has several cross-site scripting (<a href="http://en.wikipedia.org/wiki/Cross-site_scripting" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; text-decoration: none; outline-style: none; outline-width: initial; outline-color: initial; color: rgb(204, 0, 0); ">XSS</a>) vulnerabilities and provides the bad guys with a brilliant - albeit ironic - launching pad from which to unleash their attacks.</p><p style="margin-top: 1em; margin-right: 0px; margin-bottom: 1em; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; text-align: left; "><br /></p><p style="margin-top: 1em; margin-right: 0px; margin-bottom: 1em; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; text-align: left; "><a href="http://www.readwriteweb.com/archives/mcafee_enabling_malware_distribution_and_fraud.php">http://www.readwriteweb.com/archives/mcafee_enabling_malware_distribution_and_fraud.php</a></p></span>Atryskhttp://www.blogger.com/profile/04232363521942755104noreply@blogger.comtag:blogger.com,1999:blog-3371937142562964079.post-70734364236640467932008-08-21T22:22:00.002-05:002008-08-21T22:23:56.663-05:00BSQL (Blind SQL) HackerThis is definitely a tool to checkout....<br /><br />BSQL (Blind SQL) Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities virtually in any database.<br /><br />BSQL Hacker aims for experienced users as well as beginners who want to automate SQL Injections (especially Blind SQL Injections). It allows metasploit alike exploit repository to share and update exploits.<br /><br /><a href="http://labs.portcullis.co.uk/application/bsql-hacker/">http://labs.portcullis.co.uk/application/bsql-hacker/</a>Atryskhttp://www.blogger.com/profile/04232363521942755104noreply@blogger.comtag:blogger.com,1999:blog-3371937142562964079.post-64546297475282517792008-08-12T09:24:00.000-05:002008-08-12T09:25:42.916-05:00Patience Pays Off for Hackers in Web Security WarThe hacker group behind the Coreflood Trojan has learned that patience pays, as it has stolen at least 463,582 user names and passwords while flying under the radar. At Black Hat, SecureWorks Director of Malware Research Joe Stewart discussed his research on the gang and how it has gone undetected.<br /><br />LAS VEGAS—The creators of the Coreflood Trojan have managed to stick their digital hands into the pockets of victims for years. And they have done it largely under the radar, according to research revealed at the Black Hat conference here Aug. 6.<br /><br />[ <a href="http://www.eweek.com/c/a/Security/Patience-Pays-Off-for-Hackers-in-Web-Security-War/">Read Article </a>]Atryskhttp://www.blogger.com/profile/04232363521942755104noreply@blogger.comtag:blogger.com,1999:blog-3371937142562964079.post-29049625987542376452008-08-08T13:12:00.012-05:002008-08-08T14:01:13.493-05:00Clear Program >= "Pathetic"I must say, I'm completely blown away by what has happened with the Clear Program. For those of you who do not know what/who Clear is....<br /><br /><blockquote>Clear® is the fast pass for airport security. Clear members are pre-screened and provided with a high-tech card which allows them to access designated airport security fast lanes nationwide. Clear members pass through airport security faster, with more predictability and less hassle.</blockquote><br />Basically, they pre-screen you through TSA and give you a card to carry around so you don't have to wait in line with all of the other yahoos. So let's take a look at the recent email that just came out. First line of the email ...<div><br /><blockquote>We take the protection of your privacy extremely seriously at Clear. </blockquote><div><br /></div>This isn't giving me a warm feeling. Next?</div><div><br /></div><div><blockquote>Before we could send out that notice, the laptop was recovered. And, we have determined from a preliminary investigation that no one logged into the computer from the time it went missing in the office until the time it was found. Therefore, no unauthorized person has obtained any personal information.</blockquote><div><br /></div><div>Okay....this isn't getting any better. Next?</div><br /><blockquote>We are sorry that this theft of a computer containing a limited amount of applicant information occurred, and we apologize for the concern that the publicity surrounding our public announcement might have caused. But in an abundance of caution, both we and the Transportation Security Administration treated this unaccounted-for laptop as a serious potential breach. We have learned from this incident, and we have suspended enrollment processes temporarily until all pre-enrollment information is encrypted for further protection. The personal information on the enrollment system was protected by two separate passwords, but Clear is in the process of completing a software fix - and other security enhancements - to encrypt the data, <b><span style="color:red;">which is what we should have done all along</span></b><span style="color:red;"></span>, just the way we encrypt all of the other data submitted by applicants. Clear now expects that the fix will be in place within days. Meantime, all airport Clear lane operations continue as normal.</blockquote><br />So .... as a security person, my first question would be -- HOW DID THIS COMPANY GET APPROVED TO OPERATE WITH TSA SENSITIVE DATA WITHOUT THE USE OF ENCRYPTION? Yet another quote from the <a href="http://www.flyclear.com/footer/privacy_fairinfo.html">privacy policy</a>....<br /><br /><blockquote>TSA also conducts periodic audits to assure that we comply with their extremely high standards of data security.</blockquote><br />Okay...I won't be hiring these idiots to perform my next vulnerability assessment...</div><div><br /><blockquote>We use encryption (a strong data coding process) for all program sensitive data communications. We apply firewalls to guard against outside intruders.</blockquote><br />Wow! Now this is really surprising to me -- yet another group of yahoos who think that a firewall is going to guard your applications from compromise. Brilliant.<br /><br />I'm sorry folks, but there are few moments in life when you really do find yourself speechless -- and well.....i guess this is one of them. I must say - if this is the way these folks plan to do business, you might want to: (a) Not enroll or (b) enroll and quickly find yourself a good lawyer.<br /><br />Ug.<br /><br /><br /><br /><br /></div>Atryskhttp://www.blogger.com/profile/04232363521942755104noreply@blogger.comtag:blogger.com,1999:blog-3371937142562964079.post-25190501416741232782008-08-07T16:00:00.001-05:002008-08-07T16:03:01.025-05:00Cross Site Request Forgery and Same Origin PolicyThere has definitely been an increase in the number of conversations around XSS and CSRF. If you are looking to understand the basics of this attack, this is an excellent article....<div><br /><div><br /></div><div><a href="http://taossa.com/index.php/2007/02/08/same-origin-policy/">Same-Origin Policy Part 1: Why we’re stuck with things like XSS and XSRF/CSRF</a><br /></div><div><br /></div><div><br /></div></div>Atryskhttp://www.blogger.com/profile/04232363521942755104noreply@blogger.comtag:blogger.com,1999:blog-3371937142562964079.post-75100393777279842282008-08-04T13:53:00.000-05:002008-08-04T13:55:42.788-05:00OWASP 2008 NYCThe agenda for OWASP 2008 in New York has been posted. <br /><br /><a href="http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference">OWASP Agenda</a><br /><br />Should be a great show!Atryskhttp://www.blogger.com/profile/04232363521942755104noreply@blogger.comtag:blogger.com,1999:blog-3371937142562964079.post-45463345287591173142008-08-04T13:46:00.002-05:002008-08-04T13:51:01.129-05:00PHPCharset EncoderThis tool helps you encoding arbitrary texts to and from <span class="underline"> 65 kinds</span> of charsets. Also some encoding functions featured by JavaScript are provided. <br /><a href="http://h4k.in/encoding/index.php"><br />http://h4k.in/encoding/index.php</a>Atryskhttp://www.blogger.com/profile/04232363521942755104noreply@blogger.comtag:blogger.com,1999:blog-3371937142562964079.post-33433603519788140902008-07-29T07:58:00.001-05:002008-07-29T07:59:38.591-05:00Microsoft Source Code Analyzer for SQL Injection tool[RIP]<span class="Apple-style-span" style=" ;font-family:Verdana;font-size:11px;">The Microsoft Source Code Analyzer for SQL Injection tool is a static code analysis tool that helps you find SQL injection vulnerabilities in Active Server Pages (ASP) code. This article describes how to use the tool, the warnings that are generated by the tool, and the limitations of the tool. See the tool Readme document for more information.</span><div><span class="Apple-style-span" style=" ;font-family:Verdana;font-size:11px;"><br /></span></div><div><span class="Apple-style-span" style=" ;font-family:Verdana;font-size:11px;">[ <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA&displaylang=en">Download</a> ] </span></div>Atryskhttp://www.blogger.com/profile/04232363521942755104noreply@blogger.comtag:blogger.com,1999:blog-3371937142562964079.post-79624537249702744782008-07-26T08:23:00.006-05:002008-07-29T08:04:53.397-05:00Chronology of Data Breaches<span class="Apple-style-span" style=" ;font-family:Arial;"><span class="text14-black" style=" text-decoration: none; color: rgb(0, 0, 0); font-family:Arial, Helvetica, sans-serif;font-size:14px;">This is a very interesting site which I feel provides some great information. [RIP] The Privacy Rights Clearinghouse (PRC) is a nonprofit consumer organization with a two-part mission -- consumer information and consumer advocacy. It was established in 1992 and is based in San Diego, California. It is primarily grant-</span><span class="style9" style="text-decoration: none; color: rgb(0, 0, 0); font-size:14px;">supported and serves individuals nationwide.</span></span><div><span class="Apple-style-span" style=" ;font-family:Arial;font-size:14px;"><br /></span></div><div><span class="Apple-style-span" style=" ;font-family:Arial;font-size:14px;"><a href="http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP">http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP</a><br /></span></div>Atryskhttp://www.blogger.com/profile/04232363521942755104noreply@blogger.comtag:blogger.com,1999:blog-3371937142562964079.post-67850254077085330322008-07-25T08:24:00.004-05:002008-07-26T08:26:13.009-05:00Coolest thing since sliced cheeseIf you're using Outlook, this is a really nice tool. Finally....a tool that actually helps with email!<div><br /></div><div><a href="http://www.xobni.com/">http://www.xobni.com/</a><br /></div><div><br /></div><div><br /></div><div><br /></div>Atryskhttp://www.blogger.com/profile/04232363521942755104noreply@blogger.comtag:blogger.com,1999:blog-3371937142562964079.post-67319155059145041072008-07-22T12:18:00.005-05:002008-07-25T08:32:07.616-05:00LifeCycle Security<span class="Apple-style-span" style=" ;font-family:Tahoma;font-size:14px;"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><p align="">A friend of mine [and group of renegade badasses] has started a new security conference based around Web Application Security. If you are going to be at Blackhat next month, be sure to get hooked up for this show. Also...if you are a member of OWASP, please feel free to use this invitation for free admission.</p><p align="">++++++++++++++++++++++</p><div>We would like to make a special offer to you and the people at OWASP as our way of thanking you for your support of our <a href="http://www.LifeCycleSecurity.com/">Lifecycle Security (web application security)Conference </a>which we are holding the day after <a href="http://www.blackhat.com/">Blackhat-Vegas</a> on August 8-9, 2008 at the Las Vegas Ceasar's Palace.</div><div> </div><div>FREE ADMISSION (normal price is $350) for the first 100 people who register by sending an email to <a href="mailto:freeoffer@LifeCycleSecurity.com">freeoffer@LifeCycleSecurity.com</a> with:</div><div> </div><div><ul><li>Name:</li><li>Company:</li><li>Address:</li><li>E-mail:</li></ul></div><div> </div><div>We plan to open this up to other lists later in the week, but we want to give <a href="http://www.owasp.org/">OWASP</a> members "first shot" at the free admission. (There are only 100 free admission tickets.) Our goal is to create a community where Application Security professionals can share information on an on-going basis.</div><div> </div><div>We have Ounce, Proactive, Price Waterhouse, Modsecurity, Microsoft, Safe Channel, OWASP and Verizon involved in our Penetration Testing, Policy/Compliance/Solutions and a Vendor Tracks.</div><div> </div><div>Thanks once again for your support.</div><div> </div><div>Dennis</div></div></div></span>Atryskhttp://www.blogger.com/profile/04232363521942755104noreply@blogger.comtag:blogger.com,1999:blog-3371937142562964079.post-60998857863255599132008-06-24T20:16:00.003-05:002008-06-30T09:14:18.916-05:00Introducing HP ScrawlrInteresting posting from the folks at HP Security Labs. Not sure if this is as capable as <a href="http://forum.darkc0de.com/index.php?action=vthread&forum=7&topic=2306">other SQL injectors already out there</a>, but worth a look. Interesting note that they are packaging the Intelligent Engines on the backend with this tool.<br /><br />[rip from HP blog site]<br /><br />Scrawlr, developed by the HP Web Security Research Group in coordination with the MSRC, is short for SQL Injector and Crawler. Scrawlr will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr is lightning fast and uses our intelligent engine technology to dynamically craft SQL Injection attacks on the fly. It can even provide proof positive results by displaying the type of backend database in use and a list of available table names. There is no denying you have SQL Injection when I can show you table names!<br /><br /><ul><li>Technical details for Scrawlr</li><li>Identify Verbose SQL Injection vulnerabilities in URL parameters </li><li>Can be configured to use a Proxy to access the web site </li><li>Will identify the type of SQL server in use </li><li>Will extract table names (verbose only) to guarantee no false positives</li><li>Scrawlr does have some limitations versus our professional solutions and our fully functional SQL Injector tool </li><li>Will only crawls up to 1500 pages </li><li>Does not support sites requiring authentication </li><li>Does not perform Blind SQL injection </li><li>Cannot retrieve database contents </li><li>Does not support JavaScript or flash parsing </li><li>Will not test forms for SQL Injection (POST Parameters)</li></ul><p>You can download Scrawlr by visiting the following link: </p><p><a href="https://download.spidynamics.com/products/scrawlr/">https://download.spidynamics.com/products/scrawlr/</a></p><p> </p>Atryskhttp://www.blogger.com/profile/04232363521942755104noreply@blogger.comtag:blogger.com,1999:blog-3371937142562964079.post-42652489931969962262008-05-08T13:08:00.004-05:002008-05-08T13:15:24.694-05:00A Risk Management-Based Approach to Web Application Security<!--StartFragment--> <p class="MsoNormal"><span style=" mso-bidi-;font-family:Tahoma;"><span class="Apple-style-span" style="font-size:small;">At the end of the day, it all comes down to the Software Development Life Cycle (SDLC).</span><span style="mso-spacerun: yes"><span class="Apple-style-span" style="font-size:small;"> </span></span><span class="Apple-style-span" style="font-size:small;">All vulnerabilities, big or small, can be traced back to a few lines of code written by a Developer who was hoping to achieve a bit of functionality.</span><span style="mso-spacerun: yes"><span class="Apple-style-span" style="font-size:small;"> </span></span><span class="Apple-style-span" style="font-size:small;">According to Gartner</span><span class="Apple-style-span" style="font-size:small;">, “By 2009, 80 percent of companies will have suffered an application security incident”. The significance of this statement is astounding, due to the fact that most organizations rely heavily on their web presence for daily e-survival. </span></span></p><p class="MsoNormal"><span class="Apple-style-span" style=" ;font-family:Helvetica;"><span class="Apple-style-span" style="font-size:small;">While the majority of organizations have yet to merge their development and security processes, the move towards producing secure Web Applications is absolutely critical.</span><span style="mso-spacerun: yes"><span class="Apple-style-span" style="font-size:small;"> </span></span><span class="Apple-style-span" style="font-size:small;">Unfortunately, most Development, Quality Assurance and Information Security teams operate in isolated communities and are rarely driven by the sentiment that security is fundamental for all parties involved. Ultimately, the goal for any organization is to exist with a strong, well-defined process to the SDLC; however, development of such a program can be quite overwhelming - even for the most mature organizations.</span></span></p><p class="MsoNormal"><span class="Apple-style-span" style=" ;font-family:Helvetica;"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style=" ;font-size:16px;"><span class="Apple-style-span" style=" ;font-size:13px;">Risk Management provides a structured process for identifying, assessing and quantifying risk for an environment.</span><span style="mso-spacerun: yes"><span class="Apple-style-span" style=" ;font-size:13px;"> </span></span><span class="Apple-style-span" style=" ;font-size:13px;">By applying a Risk Management-based approach, your organization will be able to kick-start its program and achieve success through a more palatable set of goals.</span></span></span></span></p><p class="MsoNormal"><span class="Apple-style-span" style=" ;font-family:Helvetica;"><span class="Apple-style-span" style=" ;font-size:13px;">Through this approach, several significant variables are quantified in an effort to understand the threat against your Web Application infrastructure.</span><span style="mso-spacerun: yes"><span class="Apple-style-span" style=" ;font-size:13px;"> </span></span><span class="Apple-style-span" style=" ;font-size:13px;">These variables include:</span></span><br /></p><p class="MsoNormal"></p><ol><li><span class="Apple-style-span" style=" ;font-family:Helvetica;font-size:13px;">Asset Value (AV)</span></li><li><span class="Apple-style-span" style=" ;font-family:Helvetica;font-size:13px;">Vulnerability Severity (VS)</span></li><li><span class="Apple-style-span" style=" ;font-family:Helvetica;font-size:13px;">Likelihood of Threat (TH)</span></li><li><span class="Apple-style-span" style=" ;font-family:Helvetica;font-size:13px;">Applied Countermeasures (CM)<span class="Apple-style-span" style=" ;font-family:Georgia;font-size:16px;"><span style=" font-family:Helvetica;mso-fareast-mso-bidi-font-family:Helvetica;"><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman""><span class="Apple-style-span" style=" ;font-size:13px;"></span></span></span></span></span></span></li><li><span class="Apple-style-span" style=" ;font-family:Helvetica;font-size:13px;"><span class="Apple-style-span" style=" ;font-family:Georgia;font-size:16px;"><span style=" font-family:Helvetica;mso-fareast-mso-bidi-font-family:Helvetica;"><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman""><span class="Apple-style-span" style=" ;font-size:13px;"> </span></span></span></span><span style=" mso-bidi-;font-family:Tahoma;"><span class="Apple-style-span" style=" ;font-size:13px;">Weighted Value for severity of vulnerabilities (WV)</span></span></span></span></li></ol><div><span class="Apple-style-span" style=" ;font-family:Helvetica;font-size:13px;"><br /></span></div><div><span class="Apple-style-span" style=" ;font-family:Helvetica;font-size:13px;"> <!--StartFragment--><span style="font-family:Helvetica; mso-fareast-font-family:"Times New Roman";mso-bidi- mso-ansi-language:EN-US;mso-fareast-language:EN-USfont-family:Tahoma;font-size:11.0pt;">The end-result of this program is to achieve an overall Risk Score (RS), which will aid in measuring compliance for your security policy and posture.<span style="mso-spacerun: yes"> </span></span><!--EndFragment--> <br /></span></div><div><span class="Apple-style-span" style=" ;font-family:Helvetica;font-size:13px;"><br /></span></div><div><span class="Apple-style-span" style=" ;font-family:Helvetica;font-size:13px;">[ <a href="http://www.atrysk.com/downloads/riskman.pdf">Download Paper</a> ] </span></div><p></p>Atryskhttp://www.blogger.com/profile/04232363521942755104noreply@blogger.comtag:blogger.com,1999:blog-3371937142562964079.post-28102283869308430022008-05-02T11:41:00.000-05:002008-05-11T17:28:19.812-05:00Web Security 101<div><span class="Apple-style-span" style="LINE-HEIGHT: 20px"><p><span class="Apple-style-span" style="font-size:small;">Over the past few weeks, I've read several posts from folks around the industry on how to secure web applications and I've read many interesting viewpoints. In my opinion, there are seven basic ideas that I believe any security professional should carry with them for web applications.</span></p><ol><li><h2><span class="Apple-style-span" style="font-size:small;">Test Everything!</span></h2><p><span class="Apple-style-span" style="font-size:small;">The first concept for every security professional is to test everything. There is no amount of testing that can be accomplished -- test and simply keep testing. Just because you ran one scan with some tool and reviewed the results....testing should not end. What was once a very secure application could absolutely be compromised tomorrow.</span></p></li><li><h2><span class="Apple-style-span" style="font-size:small;">Secure the foundation</span></h2><p><span class="Apple-style-span" style="font-size:small;">Web Applications are nothing more than applications running on an Operating System so as such, it is still absolutely critical to secure the environment that they live in.</span></p></li><li><h2><span class="Apple-style-span" style="font-size:small;">Encrypt your data</span></h2><p><span class="Apple-style-span" style="font-size:small;">Use of data encryption may be utilized in a number of areas within your architecture. Whether you are using SSL certificates to data encryption on the database to the file system. I'm not sure I have the ability to recommend the "type" of encryption, but use of encryption is highly recommended.</span></p></li><li><h2><span class="Apple-style-span" style="font-size:small;">Input Validation</span></h2><p><span class="Apple-style-span" style="font-size:small;">With Application Security vulnerabilities, the majority of the vulnerabilites lie with poor input validation. Using input validation with all areas of the application is absolutely critical. If you have the ability to discover tools that will perform Input Analysis on your application prior to going live, I would highly recommend employing them. For those not familiar with Input Analysis techniques, these are solutions that will search for any component of your application where input is taken in (controls, form fields, etc) and assists with the validation of those points.</span></p></li><li><h2><span class="Apple-style-span" style="font-size:small;">Strong Authentication</span></h2><p><span class="Apple-style-span" style="font-size:small;">Authentication is key to applications and the use of strongly authenticated users or sessions is necessary. If strong authentication is not always an option, at the very least, please encourage your users (or security policy) to use strong passwords.</span></p></li><li><h2><span class="Apple-style-span" style="font-size:small;">Control Access to the Application</span></h2><p><span class="Apple-style-span" style="font-size:small;">As discussed in our AJAX post, validation of data is a very difficult aspect of security around your web application. The idea that we are able to validate every single request to your web application is sometimes difficult, however, it's my recommendation to your best with this.</span></p></li><li><h2><span class="Apple-style-span" style="font-size:small;">Session Management</span></h2><p><span class="Apple-style-span" style="font-size:small;">Session Management is yet another very serious aspect of securing your web application. Points of weakness for many web applications is found when developers make some great attempt to start creating their own session management schemes. Three words that I have for you: 1) Cryptographically Strong, (2) Random, (3) strong protection.</span></p></li></ol><p><span class="Apple-style-span" style="font-size:small;">Again, these are only a few thoughts that I'm throwing around here ....there are a thousand other things that could be considered so please don't consider this the almighty list [no flames, please].</span></p></span></div>Atryskhttp://www.blogger.com/profile/04232363521942755104noreply@blogger.comtag:blogger.com,1999:blog-3371937142562964079.post-86033689198051052822008-04-05T09:19:00.003-05:002008-04-05T09:22:32.763-05:00TRISC ConferenceFor those of you living around Texas, you might be interested in this conference. TRISC 2008 will be held April 21-23 with a theme of "Back to Basics: People, Processes & Products". It's being held at the Omni San Antonio Hotel at the ColonNade. Check out the website at:<br /><br /> <a href="http://www.trisc.org/">http://www.trisc.org/</a><br /><br />Mark your calendars for TRISC 2008!Atryskhttp://www.blogger.com/profile/04232363521942755104noreply@blogger.comtag:blogger.com,1999:blog-3371937142562964079.post-48530745848194910392008-04-05T06:15:00.002-05:002008-04-05T06:16:56.598-05:00Properties of Secure Hash FunctionsA very interesting article on <a href="http://denimgroup.com/know_artic_secure_hash_functions.html">Properties of Secure Hash Functions</a><br /><br />Enjoy!Atryskhttp://www.blogger.com/profile/04232363521942755104noreply@blogger.comtag:blogger.com,1999:blog-3371937142562964079.post-63273619184398087942008-03-28T12:04:00.002-05:002008-03-28T12:07:41.055-05:00Microsoft asks web developers to 'bet on us'Okay...so *usually*, i try not to feed too much off of simple articles on the web, but as I am flipping through the news journals, I have run across (yet) another interesting post. Before reading on ...yes...let's put this into perspective. Yes...Microsoft is the whipping boy, yes...they are the biggest...yes...they have the most to deal with (ok....so i made that last part up). Read on ....<br /><br />[ <a href="http://news.zdnet.co.uk/software/0,1000000121,39363081,00.htm">Article</a> ]Atryskhttp://www.blogger.com/profile/04232363521942755104noreply@blogger.comtag:blogger.com,1999:blog-3371937142562964079.post-29243986520225345832008-03-28T11:53:00.002-05:002008-03-28T11:57:12.308-05:00Apple's Leopard lasts '30 seconds' in hack contestApple's Leopard has been hacked within 30 seconds using a flaw in Safari, with rival operating systems Ubuntu and Windows Vista so far remaining impenetrable in the CanSecWest PWN to Own competition. Security firm Independent Security Evaluators (ISE) — the same company that discovered the first iPhone bug last year — has successfully compromised a fully patched Apple MacBook Air at the CanSecWest competition, winning $10,000 (£5,000;) as a result. Although the competition recorded the hack taking eight minutes, Charlie Miller, a principal analyst with ISE, told ZDNet.com.au that it took just 30 seconds and was achieved using a previously unknown flaw in Apple's Safari web browser.<br /><br />[ <a href="http://news.zdnet.co.uk/security/0,1000000189,39375171,00.htm">Article</a> ]Atryskhttp://www.blogger.com/profile/04232363521942755104noreply@blogger.comtag:blogger.com,1999:blog-3371937142562964079.post-89942201606687467762008-03-28T11:25:00.000-05:002008-03-28T12:01:19.361-05:00wep cracking 101<span class="Apple-style-span" style="font-size:small;">WEP was intended to provide confidentiality comparable to that of a traditional wired network. Several serious weaknesses were identified by cryptanalysts; a WEP connection can be cracked with readily available software within minutes. WEP was superseded by Wi-Fi Protected access (WPA) in 2003, followed by the full IEEE 802.11i standard (also known as WPA2) in 2004. Despite its weaknesses, WEP provides a level of security that may deter casual snooping. ( Source, Wikipedia )<br /><br />Trust me when I say that this is not the most comprehensive posting on WEP cracking, but I received a request from a friend of mine to provide the "short and sweet" on WEP cracking ... so I thought i would share this very short tutorial. The sample I am going to provide has several limitations (ex. I am only demonstrating an attack using ARP replay attack (there are several other methods of attack)), but we are simply giving a brief overview. </span><a href="http://www.atrysk.com/downloads/ac_wep.htm" target="_blank"><span class="Apple-style-span" style="font-size:small;">Video sample of instructions</span></a> <div><span class="Apple-style-span" style="font-size:small;"><br /></span></div><div><span class="Apple-style-span" style="font-size:small;">There are four basic steps (well...at least in this example) to cracking a WEP key. The broad overview is as follows:<br /></span><ol><span class="Apple-style-span" style="font-size:small;"><br /></span><li><span class="Apple-style-span" style="font-size:small;">Setup network interface card to monitor mode with</span><strong><span class="Apple-style-span" style="font-size:small;"> </span></strong><span class="Apple-style-span" style="font-size:small;">airmon-ng (madwifi drivers for packet injection)</span></li><span class="Apple-style-span" style="font-size:small;"><br /></span><li><span class="Apple-style-span" style="font-size:small;">Execute airodump-ng for sniffing wireless traffic and creation of "cap" file (to be used later with aircrack-ng)</span></li><span class="Apple-style-span" style="font-size:small;"><br /></span><li><span class="Apple-style-span" style="font-size:small;">Execute aireplay-ng to create traffic for the generation and capture of IV's (we will be using an ARP-Replay attack (-3))</span></li><span class="Apple-style-span" style="font-size:small;"><br /></span><li><span class="Apple-style-span" style="font-size:small;">Execute aircrack-ng against the generated cap file</span></li><span class="Apple-style-span" style="font-size:small;"><br /></span></ol><span class="Apple-style-span" style="font-size:small;"><br /></span><span style="font-size:0;"><strong><span class="Apple-style-span" style="font-size:small;">Step One: Setting up your NIC with airmon-ng</span></strong></span><span class="Apple-style-span" style="font-size:small;"><br /></span><ul><span class="Apple-style-span" style="font-size:small;"><br /></span><li><span class="Apple-style-span" style="font-size:small;">The first step (and often daunting for the experienced administrator) in our quest for cracking a WEP key is to setup the network interface card on your system. For our example, we are utilizing the </span><a href="http://www.netgear.com/Products/Adapters/SuperGWirelessAdapters/WG511T.aspx" target="_blank"><span class="Apple-style-span" style="font-size:small;">Netgear 108 Wireless PC Card </span></a><span class="Apple-style-span" style="font-size:small;">(WG511T) which is based on the atheros chipset for packet injection. To setup your NIC to monitor mode, we must first execute a couple of commands in order initialize our card. The first two commands you will execute are:<br /><br /># rmmod ath_pci<br /># modprobe ath_pci</span></li></ul><span class="Apple-style-span" style="font-size:small;"><br />Once you have executed these two commands, your interface will be ready to use with the airmon-ng script for setting your card into monitor mode with use with the madwifi drivers for packet injection.<br /></span><ul><span class="Apple-style-span" style="font-size:small;"><br /></span><li><span class="Apple-style-span" style="font-size:small;">The second step in setting up your NIC card is to engage the madwifi-ng drivers. Because the madwifi-ng drivers allow for multiple virual access points to be run, personally, I like to destroy and the create a new VAP on each session ... simply to make sure I understand what I have setup on the system. To do this, you will execute the following command:<br /><br /># airmon-ng stop ath0<br /># airmon-ng start wifi0 1<br /># macchanger -m 00:12:23:34:45:56 ath0<br /><br />This command(s) will destroy the current VAP and create a new parent VAP as well as, enable monitor mode on ath0 interface. You should now be able to execute the "iwconfig" command to verify that your ath0 interface is in monitor mode for sniffing wireless traffic.</span></li><span class="Apple-style-span" style="font-size:small;"><br /></span></ul><span class="Apple-style-span" style="font-size:small;"><br /></span><span style="font-size:0;"><strong><span class="Apple-style-span" style="font-size:small;">Step Two: Discovering a target with airodump-ng</span></strong></span><span class="Apple-style-span" style="font-size:small;"><br /></span><ul><span class="Apple-style-span" style="font-size:small;"><br /></span><li><span class="Apple-style-span" style="font-size:small;">The first step taken with airodump-ng is to initate a session so that you can obtain information regarding a target access point. You will launch airodump-ng with the following command:<br /><br /># airodump-ng ath0 (ath1,ath2,...)<br /><br />Once you have determined the target access point for your capture, you will perform the following setup.<br /><br /># airodump-ng -w FileToCrack -c targetAP_ChannelNumber ath0<br /><br />Once this process is started...move to step 3.</span></li><span class="Apple-style-span" style="font-size:small;"><br /></span></ul><span class="Apple-style-span" style="font-size:small;"><br /></span><span style="font-size:0;"><strong><span class="Apple-style-span" style="font-size:small;">Step Three: Initiate aireplay-ng</span></strong></span><span class="Apple-style-span" style="font-size:small;"><br /></span><ul><span class="Apple-style-span" style="font-size:small;"><br /></span><li><span class="Apple-style-span" style="font-size:small;">One purpose of aireplay-ng is to move the process of capturing IV's for cracking. This step will submit traffic to the access point so that it stimulates the AP into responding with initialization vectors in the ARP response. We are able to accomplish this with two simple steps. Keep in mind that we are ONLY demonstrating one single method of attack here (but it is (probably) the most popular method).For our example, we will assume that the target AP name is "tdurden" running on channel 6.<br /><br /># aireplay-ng -1 0 -e tdurden -a target_ap_mac -h our_mac_addr ath0<br /><br />Once this process successfully completes, initiate the following command.<br /><br /># aireplay-ng -3 -b target_ap_mac -h our_cards_mac_address ath0<br /><br />This will start the initiation of ARP requests to the access point. Once you have captured enough ARP requests, you may the use aircrack-ng to crack the WEP key based on the traffic capture of the .CAP file.</span></li><span class="Apple-style-span" style="font-size:small;"><br /></span></ul><span class="Apple-style-span" style="font-size:small;"><br /></span><span style="font-size:0;"><strong><span class="Apple-style-span" style="font-size:small;">Step Four: Cracking our WEP key with aircrack-ng</span></strong></span><span class="Apple-style-span" style="font-size:small;"><br /></span><ul><span class="Apple-style-span" style="font-size:small;"><br /></span><li><span class="Apple-style-span" style="font-size:small;">The final step is to initiate the aircrack-ng script against your .CAP file (generated by airodump-ng). Simply issue the following command:# aircrack-ng FileToCrack.cap<br /><br />If you have captured a sufficient number of IV's from the ARP-replay attack then you should have a successful decryption of the WEP key.</span></li><span class="Apple-style-span" style="font-size:small;"><br /></span></ul><span class="Apple-style-span" style="font-size:small;"><br /></span><a href="http://www.atrysk.com/downloads/ac_wep.htm" target="_blank"><span class="Apple-style-span" style="font-size:small;">Video sample of instructions</span></a></div>Atryskhttp://www.blogger.com/profile/04232363521942755104noreply@blogger.comtag:blogger.com,1999:blog-3371937142562964079.post-72764533431561238692008-03-03T06:43:00.002-06:002008-03-03T06:44:45.609-06:00I'm addicted to Mac<a href="http://www.justsayhi.com/bb/apple_addiction" style="color: #80A9DD; text-decoration: none; display: block; width: 286px; height: 128px; padding-top: 50px; padding-left: 17px; background: url(http://assets.justsayhi.com/badges/613/877/apple_addiction.0hzul7zhfx.jpg) no-repeat; font-family: Times New Roman, sans-serif; font-size: 30px;">78%<span style="display: none;">How Addicted to Apple Are You?</span></a><p></p>Atryskhttp://www.blogger.com/profile/04232363521942755104noreply@blogger.comtag:blogger.com,1999:blog-3371937142562964079.post-40420705327548238292008-01-17T18:08:00.000-06:002008-01-17T09:48:28.516-06:00ajax security (book release)<span class="Apple-style-span" style="LINE-HEIGHT: 20px"><p>Billy Hoffman and Bryan Sullivan released a new book on AJAX Security this last month (or so). For those of you who aren't familiar with Billy and Bryan, they are/were involved in the SPI Dynamics group before being acquired by HP Software in late 2007. I would highly recommend that you grab a copy of this book for your library.</p><p><a href="http://www.amazon.com/Ajax-Security-Billy-Hoffman/dp/0321491939/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1199202842&sr=8-1" target="_blank" mce_href="http://www.amazon.com/Ajax-Security-Billy-Hoffman/dp/0321491939/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1199202842&sr=8-1">AJAX Security Book</a></p><p>[Ripped from Amazon]</p><p style="MARGIN: 0px" align="left"><b>Billy Hoffman</b> is the lead researcher for HP Security Labs of HP Software. At HP, Billy focuses on JavaScript source code analysis, automated discovery of Web application vulnerabilities, and Web crawling technologies. He has worked in the security space since 2001 after he wrote an article on cracking software for 2600, “The Hacker Quarterly,” and learned that people would pay him to be curious. Over the years Billy has worked a variety of projects including reverse engineering file formats, micro-controllers, JavaScript malware, and magstripes. He is the creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes.</p><p><b>Bryan Sullivan</b> is a software development manager for the Application Security Center division of HP Software. He has been a professional software developer and development manager for over 12 years, with the last five years focused on the Internet security software industry. Prior to HP, Bryan was a security researcher for SPI Dynamics, a leading Web application security company acquired by HP in August 2007.While at SPI, he created the DevInspect product, which analyzes Web applications for security vulnerabilities during development. Bryan is a frequent speaker at industry events, most recently AjaxWorld, Black Hat, and RSA. He was involved in the creation of the Application Vulnerability Description Language (AVDL) and has three patents on security assessment and remediation methodologies pending review.</p></span>Atryskhttp://www.blogger.com/profile/04232363521942755104noreply@blogger.comtag:blogger.com,1999:blog-3371937142562964079.post-86408286368556137432008-01-17T09:35:00.000-06:002008-01-17T09:39:17.558-06:00Give yourself a little time with SQL Injection<p>I was recently involved in web application assessment and discovered something that I wanted to pass along. Keep in mind that this has probably been utilized before, but it is something that I just noticed so … I wanted to throw it out for your amusement.</p><p>To set the stage, I had been looking at this application for quite some time and had an idea that SQL Injection might exist, but I was having much difficulty determining if the injection was actually present. The application was catching errors, displaying 404’s, (etc) and really not displaying any good data to make a decision. So …. the question was … if the application is catching our errors and really not giving us anything to work with … how could we ask the question to the database to indicate if we were actually getting our requests processed by the database server? </p><p>Answer? Time.</p><p>Since the application is catching all of our attempts and not providing any good feedback the thought was … let’s come up with a way to have the database provide us an “indirect” response. To do this, I tried “waitfor”. <a href="http://msdn2.microsoft.com/en-us/library/aa260678(SQL.80).aspx" target="_blank">WAITFOR</a> specifies a time, time interval, or event that triggers the execution of a statement block, stored procedure, or transaction.</p><p><span style="color:#000000;"><strong> Syntax: WAITFOR { DELAY ‘time’ TIME ‘time’ }</strong></span></p><p>To implement ‘waitfor’, simply tag it onto the end of the injection test you’re trying to accomplish. For example, if you’re injection string is:</p><p><span style="color:#3333ff;">30000' union select 1,email,password from Customers --</span></p><p>By implementing ‘waitfor’, your string might appear as….</p><p><span style="color:#3333ff;">30000' union select 1,email,password from Customers waitfor delay ‘0:0:30' --</span></p><p>Keep in mind that while the injection results might not appear to your screen, you will experience a delay of the response back to the browser. The point here is to demonstrate that:</p><ol><li>Our injection is being accepted by the database server </li><li>The injection is executing. </li></ol><p>So, while our injection string might not render results to the screen, we can test that the database server is executing our injection strings.</p>Atryskhttp://www.blogger.com/profile/04232363521942755104noreply@blogger.comtag:blogger.com,1999:blog-3371937142562964079.post-86981726490006185982008-01-15T09:13:00.000-06:002008-01-15T09:21:53.180-06:00"Hacker Safe" Site Hacked, Data Stolen<span style="font-size:85%;">It's simply amazing to me that folks will fall for the marketing literature. Hacker Safe? I think not....</span><br /><span style="font-size:85%;"></span><br /><a href="http://www.cioinsight.com/article2/0,1540,2246925,00.asp"><span style="font-size:85%;">http://www.cioinsight.com/article2/0,1540,2246925,00.asp</span></a>Atryskhttp://www.blogger.com/profile/04232363521942755104noreply@blogger.comtag:blogger.com,1999:blog-3371937142562964079.post-11593750816735848732008-01-12T11:54:00.001-06:002008-01-15T09:28:51.347-06:00Vidalia Project<span class="Apple-style-span" style="LINE-HEIGHT: 20px"><p>Thank you, Baby Jesus!</p><p>I'm sure that many of you have seen this software (and i'm sure i'll hear about it), but I had to point out what could be one of the coolest tools out there for your warped heads. The tools is called Vidalia and it's found at http://vidalia-project.net/ . Seriously one of the nicer tools ....it has options that will absolutely help you with your anonymity.</p><p>Here's a rundown of what i have found....</p><ol><li><u>Tor</u>: A tool-set for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.</li><li><u>Bandwidth monitor</u>: Okay ...so it's not that spectacular, but a nice touch.</li><li><u>New Identity</u>: I haven't been able to research this and exactly how it works, but i would guess that this function generally kills and creates a new Tor circuit. I'll have more information on this later (and will post it), but it definitely works.</li></ol><p><a href="http://vidalia-project.net/" mce_href="http://vidalia-project.net/">This is a must download!</a></p></span>Atryskhttp://www.blogger.com/profile/04232363521942755104noreply@blogger.comtag:blogger.com,1999:blog-3371937142562964079.post-82092986927425357092008-01-12T11:53:00.004-06:002008-01-15T09:24:07.356-06:00Top 15 SQL Injection Scanners<span class="Apple-style-span" style="LINE-HEIGHT: 20px"><p>Keep in mind that I have played with most of the tools out on the web for SQL Injection, but these guys published this pretty nice list of <a href="http://www.security-hacks.com/2007/05/18/top-15-free-sql-injection-scanners" mce_href="http://www.security-hacks.com/2007/05/18/top-15-free-sql-injection-scanners">SQL Injection scanners</a>. I will say that there are a couple of commercial scanners that will rip the pants off of most of these, but again, you pay to play.</p><p>The Top 15 SQL Injection Scanners page is definitely something work seeking out. One addition to the list would be <a href="http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project" mce_href="http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project">SQLiX</a> which can be found on the OWASP page -- nice little tool if you're looking for something perl based.</p></span>Atryskhttp://www.blogger.com/profile/04232363521942755104noreply@blogger.com