In Part 1 of our web app sanitation series, we looked at unsanitized user-controlled data inserted directly into the HTML response of a web page. This entry focuses on a more specific case: user-controlled data being used within a web app in areas like attributes of HTML tags.

Read the rest of this entry »

Damn Vulnerable Web App (DVWA) has released an updated version (v1.04) of their PHP/mySQL web application that is intended to be attacked. It’s intended to be run on a local (closed) network as a learning tool for exploits and vulnerabilities. As it sits now, it pretty much contains a lot of the basics – brute force, command execution, file inclusion, SQL injection, and XSS.

Read the rest of this entry »

Nessus is a vulnerability scanner that has been around for a while and has a mottled history. It began as an open source scanner, and then Tenable Security took the source code and created a fork of nessus after version 2.0. The 2.0 source is still available, and OpenVAS has taken it and kept it open source.
Read the rest of this entry »

I recently came across a very nifty online tool for analyzing a host’s network called Netalyzr. It’s basically a java applet that, when started, kicks off a series of tests that can help users troubleshoot problems with their network.

The Netalyzr analyzes various properties of your Internet connection that you should care about — including blocking of important services, HTTP caching behavior and proxy correctness, your DNS server’s resilience to abuse, NAT detection, as well as latency & bandwidth measurements — and reports its findings in a detailed report.

Of course, it doesn’t seem to offer anything that other network analysis tools don’t, and it’s not very customizable with regards to which tests are run. However, the benefit is that it’s free, VERY easy to use (you basically just click the “Go” button), and accessible (provided you can access the internet). Since it’s a 3rd party tool, users may want to exercise caution when using this to analyze sensitive networks. But for a quick and dirty job, it’s certainly worth checking out.

http://netalyzr.icsi.berkeley.edu

Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!

Germans lost the Root CA key for their electronic health card system
There are mechanisms for backing up HSMs – they should be used, and this just underscores why.

Companies live and die by their policies which they are enamored with. While having a good security policy framework is important for organizations of all sizes, it’s easy to get comfortable with your policies – until they need to be used that is. A lot of smaller companies that are growing rapidly have some established security rules that aren’t as complete as they should be.

Just like users can pick bad compliant passwords, you’re not as compliant as you think you are if you haven’t considered the following 3 things.

1. You Don’t Review Logs – Most companies keep logs of some kind but many of them are never reviewed before they are overwritten by default processes. Log review is important on a regular basis, before logs are overwritten, so that administrators can determine patterns and abnormal activity that might not be caught by a firewall, intrusion detection system, or other automated controls. Apart from security, regular log review can help identify software glitches before they cause problems for your operations.
2. You Don’t Have A Contingency Plan – Security plans by smaller companies, as well intentioned as they may be, could very well be lacking a well thought out contingency plan. Having a tested contingency plan is important so that you know your backups will work, your applications will be accessible, and you can get up and running in a reasonable time.
3. You Don’t Test Backups – I should add, “and you don’t backup quite everything you should.” Related to #2 above, there are many companies that only have backups of a single server, rely on default settings, and don’t keep an extra physical copy somewhere off site. If you’re one of them and your office burns down, those backups aren’t going to do you much good.

There are some great things about standards and policies but it’s always easier to write them down than to put them in practice. That’s where many companies fail until something happens. Knowing that legal and regulatory compliance doesn’t necessarily equal security will save you from embarrassing and costly contingencies down the road.

picture: y3rdua

In the previous Apache and SSL tutorial, we created a private key and a self-signed certificate for our secure server. What we did not cover was protecting the server’s key with a passphrase. It’s never a good idea to leave a private key sitting around in unencrypted form, so in this tutorial, we will encrypt it and learn what difficulties this brings about on a Windows system.

Read the rest of this entry »

One of the more common problems that I see among clients, especially smaller ones, is appropriate destruction of data before retiring/selling/destroying computer systems. If you’ve got a relatively modern system (i.e., SCSI, ATA or SATA drives), you can use Darik’s Boot And Nuke (DBAN). If you have an older system (mainframe, etc…), DBAN won’t really be able to help you out – I suggest a chainsaw and a hammer (or pay someone else to do it).

If you can use DBAN though, it’s easy to use and comes with several types of wipes depending on your situation. DBAN supports a Quick Erase, RCMP TSSIT OPS-II, DoD Short (3 passes), DoD 5220.22-M (7 passes), Gutmann Wipe, and PRNG Stream as the types of wipes. Each type of wipe is useful in different situations, with the Gutmann Wipe currently thought of as for paranoid people only, and the DoD wipes as “good-enough” (for government work…). Any of the wipe methods except the quick erase will get rid of your data so that no one else has a good chance of recovering it.

Wipe Options

Using DBAN is very easy – you download a boot image (either ISO, floppy, or USB) and boot from the device. DBAN gets started, and you can either run it from the command line (if you’re familiar with the options), or you can run it in interactive mode and make the selections from a “GUI.”

Once you’ve selected your options, press F10 to get started, and then go find something else to do. If you’re using Gutmann’s wipe or the DoD (non short) wipe, it’s going to take a while. I usually set it running at night before I go to bed, and it’s usually done in the morning. Of course, the larger the drive, the longer it will take.

For those of you who need to pay for the service (audit trails, etc), Darik also offers EBAN, which comes with some nice features for wiping a lot of disks at once and recording the serial numbers of each drive it wipes.

Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!

With Windows holding 89.6% of the global market share, it is a very large target. This is one of the reasons Windows is targeted so much by malicious attacks. Not very hard when you’re such a big target. So, what if you could change that and make your Windows machine/server appear as something else, even to the most notable of sniffing tools (Nmap, P0f, Ettercap, etc.)? Well, you can.

Read the rest of this entry »

Most of the time an error reading an email or getting Firefox’s secure connection failed warning are the reasons you’ll go through the clunky process of inspecting a digital certificate. There are other good reasons to check out a certificate from time to time, and it’s easy to read the basics. Reading certificates is very easy and doing so provides valuable information, and you shouldn’t be afraid or baffled by the lock icon.

Read the rest of this entry »