Day 10: ITSM Vulnerability Assessment techniques
Lesson 10:You could say I'm a little late on posting something. However, we've been up to a lot of great research, hopefully much of which we'll publish here over the next few weeks.
We had a few posts lately, some of with a change of heart. The latest must-read from the blog world comes from Nitesh Dhanjani at O'Reilly's ONLamp, What Have You Changed Your Mind About?
So far, I'm the only person who has commented, and I didn't really answer any of his questions. However, the post itself is quite insightful. It talks about data breaches in terms of strictly PII (Personally identifiable information), where PII comes from, and the problems inherent with static-identifiers. I give some defense suggestions in the comments.
Related to Nitesh's post is Adam Shostack's predictions on the SDL Blog, New faces and predictions for the New Year. Bryan Sullivan is also introduced to the team (recently joined from HP / SPI Dynamics) with his XSRF (CSRF) predictions. He's probably referring to Web services, Ajax, Silverlight, and other RIA -- which contain CSRF's that may be more critical than the ones built-into HTTP. For an example, check out the JSON API Hijacking research from the Fortify Software paper, as well as made available in the books Ajax Security, the Web Application Hacker's Handbook, and Hacking Exposed Web 2.0.
Part 1: Information assurance vulnerability assessment — Protective measures, Identification -- multi-factor authentication -- physical access control
Something you know. Something you have. Something you are.
This is the tenant of authentication for security systems. The first thing I think of -- what about one-time passwords -- OTP's (a cross between something you know and something you have in the case of an RSA SecurID hardware token device, but this is more confusing when it's software such as S/Key or OPIE)? What about a USB/Smartcard that contains RSA, DSA, or El-Gamal keys?
There is a company, StartCom, who not only provides free, usable SSL certificates -- but that also sells Aladdin USB Tokens. StartCom is a great way to avoiding using your own private Certificate Authority (CA) if you have a need for this. However, the StartCom root-level CA's are only shipped in Firefox, Safari, and Konqueror.
The Aladdin USB Tokens and Smartcards are very interesting, mostly because they are cheap ways of providing average sized keys (2048-bit) in hardware. The Aladdin eToken NG-OTP appears to be a great concept -- combine the concept of secure keys with an OTP.
Even better would be to combine the OTP and hardware keys with Single Sign-On (SSO). Also interesting is to be able to combine both logical (system/network/application) and physical (proximity, photo ID badges, locks, man-traps) to create Integrated Physical and Logical Access.
Recommendation: Consider adding physical tokens, integrated access controls, SSO, and OTP's. Testing the authentication and access controls would be extremely fun -- it's odd that I haven't seen much research in this area of security much at all.
Many organizations don't have any physical access controls other than a shared/copied key on tumbler locks and/or a security system (mostly for insurance purposes). I've seen a lot of complex systems, including ones that provide cameras, audio monitoring (it's claimed that this can be used for calling the police more easiy than cameras).
I suggest avoiding surveillance systems (both the audio and video kind) and installing a simple wireless security system with alarm monitoring. Keep fire safes around to store documents in almost every office for anyone who wants one or is willing to use one.
There is the Home Security Store, which offers wireless alarm kits (from DSC as cheap as $245) and other wireless solutions -- I suggest DSC Wireless products. The Home Security Store also appears to partner with Alarm Relay, who offers monitoring for $8.95/month. Cheap isn't always good, but in this case it appears to be better than most systems that cost hundreds to install (where you're leasing the equipment anyways) and at least $40/month for monitoring.
You might be thinking that it is strange that I suggest such a pragmatic approach to physical security, when I suggest such complicated concepts for application, network, system, and software security. Insurance is more clearly defined for physical security, where cyber-insurance and liability concepts are more "cutting-edge" and being worked out. We'll cover cyber-insurance in a future post, but I suggest checking out the book "Geekonomics" by David Rice for more information on this topic.
Protecting your building doors, windows, locks, and walls is usually a better place to start. Be sure to check out No-Tech Hacking guides, lockpicking videos/presentations, and other material available out there. Try out these techniques against your own home and office.
I suggest to start with key bumping. There is a good triangle-shaped file you can get at most hardware stores, which works well alone or with a Dremel tool. I have both of these, a few key blanks of different types, a few key gauges, and some test locks. If you want to learn more check out the No-Tech Hacking book by Johnny Long, or attend the presentation at ShmooCon (recently announced speaker-list from earlier this evening!) -- New Countermeasures to the Bump Key Attack by Deviant Ollam.
Part 2: Software assurance vulnerability assessment -- Path traversal and Predictable resource locations (PRL's)
Best Path traversal and PRL attack tools
Nikto, filefolderenum, http-dir-enum, FreeWVS, babelweb, Burp Suite, w3af, DFF Scanner, OWASP DirBuster, OWASP JBroFuzz, ProxMon, Paros, OWAS WebScarab, sn00per, WebRoot.pl, webfuzzer, Wapiti, Syhunt Sandcat Free, N-Stealth Scanner Free Edition
Best Path Traversal and PRL attack helper tools FileMon, lsof, strace, truss, ktrace, ExtendedScanner, Inspekt, Orizon, ASP-Auditor, Milk, SWAAT, RATS, PHP-SAT, PHPSecAudit, PSA3, PFF, LAPSE.
I hate to say it, but PRL's are one thing that commercial web application security scanners are better at than both open-source structural and functional testing tools -- as well as possibly even static source code security analyzers. This is where WebInspect, AppScan, Hailstorm, NTOSpider, Acunetix WVS, Syhunt Sandcat, N-Stealth Scanner, and Sentinel really shine.
In tests of a commercial scanner vs. me, I would bet my money on the scanner to find all the WEB-INF/'s, .bak's, and Emacs "~" files. For more information, check out some books that cover commercial scanners more in-depth such as Hacking Exposed Web Applications (2nd Edition), or Security Power Tools (Section 3.3). In related news, Romain Gaucher compares the commercial tool, Fortify SCA 5.0, to open-source PHP source code security analyzers.blog comments powered by Disqus