Everyone is on the WAF bandwagon!!!……WTF?

July 5th, 2008 Drazen Drazic

I can’t believe the number of security “specialists” (many well known guys) who have jumped on the Web Application Firewall bandwagon! (WAF, f**king hate each new acronym). Amazingly, these dudes have done it all….by chance/coincidence to coincide with PSS DSS requirement 6.6! Where were they before this???? All  heroes now! Put your hands up! Driving business….that is it….oh wow….I discovered a vendor that does this!

If your favourite blogger per chance is all of the sudden lately a fan of a WAF and helping push a product, I reckon you need to think about what they are doing! (talking to industry dudes, cred may have already be gone). Were they 12 months ago pushing the same message? Are they now a QSA (not that that matters so much but may ride on PCI DSS  6.6) and using that to drive business?

Has our situation changed that much that previous anti-WAF dudes are now sold on the benefits?

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Firewalls, IDS, PCI, PCI DSS, To cool, Vulnerability Management, WTF, Web Application Security, cyber crime | 7 Comments »

No care factor on liability and no pressure to change……

June 14th, 2008 Drazen Drazic

A lot of recent posts here and in the forum talk about responsible and true representation of services and products being marketed. The focus though has been on security products and vendors, but why restrict it to just them? The whole software industry thrives under a no liability market that no or few other industries enjoy. There is something wrong with that!

They’ve been in that lucky position since day 1 pretty much. Produce flaky products (but with a heap of features to sell and continue to sell) and have no liability should your product cause problems to those people that buy it! If problems occur, NO LIABILITY AND LEGAL REPURCUSSIONS ON THE PEOPLE WHO CREATED THE PROBLEM!

The problem always sits with those who purchased and use that software!

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Research, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime | 8 Comments »

SAFECode Forum - The first? Right focus? Losing focus?

October 27th, 2007 Drazen Drazic

EMC Corporation, Juniper Networks, SAP, Microsoft and Symantec have formed a new consortium whose goal, as reported at TechNewsWorld is to: “……help reduce IT vulnerabilities, improve resistance to attack, and protect supply chain integrity”.

Is it just me who read this and thought; yeah…let’s see how many people remember the name SAFECode Forum in 12 months time? Hey, good luck to them. I hope that they do achieve their goals, but is this really the first of these things we have seen, as they promote it being?

The question has to be asked, have these companies admitted that they cannot today and in the future deliver more secure products on their own? Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Research, Risk Management, cyber crime | 3 Comments »

Defenders of the Realm….not Hackers!

September 17th, 2007 Drazen Drazic

A take on defining hackers, ethical hackers and penetration testers by Matthew Strahan (SA Consultant):

A short time ago there was a discussion here about the term “ethical hacker” versus the term “penetration tester”.

The term “ethical hacker” is thrown around quite a lot nowadays without any real concern of whether it’s accurate or not. When people ask what I do, I find that “ethical hacker” or “professional hacker” gets the point across much quicker than a full discussion of what a penetration tester or a security consultant actually does.

The interesting thing is that I don’t really like to think of myself as a “hacker” or “cracker” since those terms are fundamentally different to what a “penetration tester” does.

Though we may use similar tools to the hackers, we are by nature, defenders, and hackers are by nature attackers.

Lets look at the difference between attacking and defending. Read the rest of this entry »

Posted in Applications, Industry Specialists Talk, Research, Vulnerability Management, Web Application Security, cyber crime | 5 Comments »

“Ethical Hacking”….that term is a worry….

August 7th, 2007 Drazen Drazic

Courses that teach under-skilled individuals the basics of “hacking” are a worry to me. Companies that teach “ethical hacking” courses are worry…….most I know I would not hire to review a static one page site. What is that they are trying to achieve? I read the course objectives for pretty much all of these courses and they worry me.

So….big company that can afford to send netadmin to one of these courses now thinks netadmin can do network and web app pen test…..saving bucks now by not hiring a third party?!?! Akin to me reading the “Idiots Guide to Accounting” and professing to be able to manage the financial books of News Limited.

Come on….WTF….give the professionals some credit!

Posted in Applications, Bad Stuff, Disclosure Laws, Dumb Security, Ford Falcon, Vulnerability Management, WTF, Web Application Security, cyber crime, governance | 15 Comments »

The Bad Web Developer Fighting Back…..

August 3rd, 2007 Drazen Drazic

I’m going to turn BorB into a soap opera for the next week or so. I’m going to report on our “discussions” with the web developer that was a leading player in:

Web Applications more secure these days? Not from where we stand!

Securing Web Applications……choose your developers carefully

It seems that the “developer” believes that they have done nothing wrong and continue to argue the point with the business that they are under no obligation to fix anything because what they have delivered is good. (Or so we are told). As a background, we have, until now, been kept out of this by the business who have assumed that the developer would be reasonable. Not the case…..thus, next week…we have been asked to meet with them. The shotgun is ready and the fish have been loaded into the barrel. Stay tuned.

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, WTF, Web Application Security, cyber crime | 3 Comments »

We’re going into production…..regardless!

August 1st, 2007 Drazen Drazic

Here’s the scenario - nothing new…we see it every day….but some just stand out big time in regards to stupidity. You have to wonder if you were given 5 minutes with the CEO as to whether things like this would happen. Same old story……what do most CIOs actually do when it comes to information security?

Large multinational - rolling out large Internet based ERP/CRM system for partners and clients. ie; do your own account changes, pricing, marketing info, updates etc etc. System has been in development for 2 years. Bugger all security team involvement from the outset. Production release - now! Cost to date - millions! Business security team reckons it potentially has holes as wide as the Grand Canyon but business does not care….it’s too late and has to go into production.

Call made SA to test the system ASAP. SA told, regardless of findings, this is going live but lets test anyway. SA responds with various testing scenarios……..most don’t cut it due to costs and times to test, so it’s agreed that lets at least do a security test from the Internet and hit the main area of exposure. SA quotes about 30K for a pretty thorough job. (Even then, heavily discounting due to a relationship with the client). Response from business: Oh my god…..30K!!!! ……Management then decides to test it in-house! Millions to build but 30K to spend on security testing?????

Guaranteed owned system very quickly.

Posted in Applications, Bad Developers, Bad Stuff, Vulnerability Management, Web Application Security, cyber crime | 1 Comment »

90% of Web Applications Suck……

July 12th, 2007 Drazen Drazic

Just throwing this one out there after a talk with a journo today as an aside to the .NET stuff we published today.

The question was raised on overall web application security in the real world….what’s your call on it SA?

We stated in response, that 90% of web applications/sites that we test for the first time have urgent to critical vulnerabilities. (ie; we own, we break etc ….bad!….PCI as an example…very upset potentially). While we have noticed an increase in security awareness and a desire from companies to test their security (GREAT SIGN), you have understand, we’re all (all companies like SA) now dealing with a backlog of testing…..stuff that should have been done years ago.

I will state again….the stuff we see every day is scary! CEOs, clients, customers and shareholders would freak if they knew what we knew about their company’s security…..but that’s the norm unfortunately.

When the sh*t eventually hits the fan in these companies, and it makes the press…same old story…..there’s no one to blame!….. (at least in Australia where CIOs can bury their heads in the sand and say, “I never knew there was a problem!”)….

Japan has the right idea in the banking sector - they (the regulators), make the CIO accountable and if the sh*t does it the fan, he goes to jail (ie; gaol - aussie spelling - stupid as it is).

We supported a relatively similar call a while back from the Acunetix dudes that had their 80% claim challenged by Network World.

Happy to be tested and a similar challenge thrown out to us…..though I don’t expect it. It would be like shooting fish in a barrel or as the Big Galoot says; ” a newsagent girl picking me out as the shooter and not the pig on the cover of “Babes and Boars”……maybe not……

Posted in Applications, Bad Developers, Bad Stuff, Big Galoot Diatribe, Dumb Security, WTF, Web Application Security, cyber crime | 3 Comments »

.NET Framework Security Vulnerabilities….

July 11th, 2007 Drazen Drazic

Following on from Paul Craig’s research on .NET security weaknesses, Microsoft has today released patch information - MS07-040. Further information at SecurityFocus.

A copy of Paul’s presentation is posted on our site on the Publications page. The full Advisory can be found on this page.

========================================================================
= Multiple .NET Null Byte Injection Vulnerabilities
=
= Vendor Website:
= http://www.microsoft.com
=
= Affected Version:
= .NET FrameWork v1.1 SP1
= .NET FrameWork v2.0.50727
=
= Vendor Notified - October, 2006
= Public Disclosure - July 11th, 2007

========================================================================

== Overview ==
Security-Assessment.com recently completed research into the .NET Framework in relation to the affect a Null byte (%00) has on various aspects of the .NET Common Language Runtime.

This advisory details the findings of that research conducted by Paul Craig.

It was found that certain .NET methods in various sections of the .NET namespace are vulnerable to Null byte injection attacks. Null byte injection occurs when the .NET CLR incorrectly handles user supplied Null bytes.

The .NET CLR considers Null bytes as ‘data’, .NET strings are not Null byte terminated. However, native POSIX compliant function calls terminate all strings at the first found Null byte. Interoperability issues are encountered when data containing a Null byte is used by .NET to directly call a native C function call.

Native function calls terminate strings at the injected Null byte allowing a remote user to arbitrarily terminate a string
parameter used by the vulnerable method.

Security-Assessment.com has discovered five vulnerable methods in the .NET framework which are exploited through Null byte injection.

Three of the discovered vulnerabilities allow strings to be arbitrary terminated through String Termination vulnerabilities. The remaining two resulted in an Arbitrary File Disclosure condition where a remote user is capable of accessing arbitrary files from within the web root.

.NET has a history surrounding Null byte input flaws and associated logic. On September 8th, 2003 WebCohort Research <research@webcohort.com> released an advisory titled “Microsoft ASP.NET Request Validation Null Byte Filter Bypass Vulnerability”. Where by the .NET request validation routine could be bypassed when using a Null byte injection.

Null byte injection is not a new class of attack, and is a well known exploitive method but this is the first time a Null byte
injection vulnerability has been found in methods within the .NET framework.

Security researchers should be aware of Null byte injection attacks within the framework itself and .NET developed
applications.

== Solutions ==

Security-Assessment.com has been in contact with Microsoft and a new .NET patch has been released to address the discovered vulnerabilities. Install patch KB928365 (Security Update for Microsoft .NET Framework 2.0)
and/or KB928366 (Security Update For Microsoft .NET Framework 1.1)

== Credit ==

Discovered and advised to Microsoft October, 2006 by Paul Craig of Security-Assessment.com.

== About Security-Assessment.com ==

Security-Assessment.com is Australasia’s leading team of Information Security consultants specialising in providing high quality Information Security services to clients throughout the Asia Pacific region. Our clients include some of the largest globally recognised companies in areas such as finance, telecommunications, broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of technical expertise while creating long and lasting professional relationships with our clients.

Security-Assessment.com is committed to security research and development, and its team continues to identify and responsibly publish vulnerabilities in public and private software vendor’s products. Members of the Security-Assessment.com R&D team are globally recognised through their release of whitepapers and presentations related to new security research.

Security-Assessment.com is an Endorsed Commonwealth Government of Australia supplier and sits on the Australian Government Attorney-General’s Department Critical Infrastructure Project panel.

Posted in Applications, Research, Web Application Security | 3 Comments »

Time to look at .NET security

July 9th, 2007 Drazen Drazic

I mentioned in a previous post that Paul Craig’s presentation on .NET would be interesting to say the least.

More on this soon but in the meantime, have a read on one of the first reports at: http://planet-websecurity.org/.NET+0-day%3F/

Posted in Applications, Bad Developers, Bad Stuff, Web Application Security | No Comments »

Interesting read from MS on developing the latest security patch ….

April 4th, 2007 Drazen Drazic

An inside look into building and releasing MS07-017

Posted in Applications, Research | No Comments »

Secure Coding - Not many do it well …….

March 30th, 2007 Drazen Drazic

Computerworld US reported on this new initiative the other day:
Are your software programmers coding securely?

How do you criticise a program that tries to address what we see as one of the biggest issues in our field…………….but do we really need another certification?

Don’t get me wrong, developers will learn from this (if they engage), but lets hope organisations don’t get a false sense of security so to speak and continue to neglect important aspects of the SDLC that so lack security consideration/input today. Passing a few exams does not make one a specialist.

On a more positive note, we are seeing a growth in awareness in this field so any steps like this are positive.

Posted in Applications | 1 Comment »

Organising a penetration test for your organisation………

March 18th, 2007 Drazen Drazic

Some good points raised in this article:www.it-observer.com/articles.php?id=1308

There’s few good companies out there that do penetration testing well and they’re generally the smaller specialist organisations (yeah, I have to mention Security-assessment.com).

We still see and hear about mobs doing this work for clients and shake our heads at the results / output. There’s still guys out there running basic VA and port scans and delivering stock standard reports out of the likes of a Nessus to clients and calling it a penetration test.

It’s hard for organisations to know what questions to ask and how to compare offerings because it is such a specialised field. This article goes someway to helping.

Posted in Applications, Bad Developers, Forensics, Research, Vulnerability Management, Web Application Security, cyber crime | 4 Comments »

Web Applications more secure these days? Not from where we stand!

March 5th, 2007 Drazen Drazic

The recent figures posted by Accunetix (see previous post) were an eye opener to many – including long term IT industry guys…….and that is a concern.

The simple facts are that most people do underestimate the problems out there on websites and are comfortable in believing that many in the IT Security business are being alarmist, far more than they should be, and doing no more than trying to keep themselves in business.

The truth is that bad things are happening out there and just because people don’t hear about it, doesn’t mean it isn’t happening. We know, because we see it everyday.

Are web developers getting smarter in regards to secure coding? Based upon our experience, I’d say they’re not. Most haven’t heard of OWASP, have never been taught secure coding practices / skills and rarely work in an environment where security plays a role in the SDLC.

I’m not just talking about internal developers - you can lump in third-party hired guns into that category. It never ceases to amaze me when we review new sites developed for organisations by so-called experts.

A good friend is the CEO of a manufacturing business - offices in Australia, Asia and the UK. While they’ve had a basic web presence and e-business capability for a while, they recently paid for the development of a new B2B and B2C site. Good dollars exchanged hands. Now CEO is no IT guru but when dealing with a supposedly reputable development shop, he does expect a quality product for his dollars. As a favour, we offer to test the site for him. Now where do we start?

- Information leakage throughout
- Access for anyone on the net who wants to track who’s buying and how much from his company
- User-friendly access to admin screens to test password guessing capabilities
- Convenient site back up including all application source code zipped up in preparation for anyone to download
- Detailed error reporting to support our “tests”
- A nice photo of a baby in a bath with its mother (we guess it could be one the developer’s new born baby) - though you’d have to know where to look on the site to find it.
- etc etc etc ….. it goes on and on……and we’ve barely gotten into any real testing as yet.

An exception? No!

If anything, the Accunetix figures could be pumped up another 20% and I reckon you’d be closer to the mark.

DD

Posted in Applications, Bad Developers, Vulnerability Management, Web Application Security | 1 Comment »

Fun for the Acunetix Guys……………

February 22nd, 2007 Drazen Drazic

Kevin and team look like they’re in for some cool fun here……….

http://www.matasano.com/log/699/did-idg-bet-1000-that-acunetix-cant-steal-credit-cards-from-random-websites/

http://www.acunetix.com/news/acunetix_reveals_data.htm

In regards to the figures…..not that far off the estimates that we discuss with clients. The Network World response highlights what we’ve said before….even people in the IT industry can be oblivious to the extent of the issues out there.

What’s the bet they’ve been working overtime on their site(s) security since the challenge went out. Even then, they’ll probably be found wanting.

Posted in Applications, Bad Developers, Vulnerability Management, Web Application Security | 1 Comment »