Anish Shaikh's TechFactor: October 2009

Top Web App Vulnerabilities in 2008 Report

Saturday, October 17, 2009

The Web Application Security Consortium (WASC) has announced the WASC Web Application Security Statistics Project 2008.

The statistics includes data from about 12186 web applications with 97554 detected vulnerabilities of different risk levels. The analysis shows that more than 13% of all reviewed sites can be compromised completely automatically. About 49% of web applications contain vulnerabilities of high risk level (Urgent and Critical) detected during automatic scanning. However, detailed manual and automated assessment by white box method allows to detect these high risk level vulnerabilities with probability up to 80-96%. The probability to detect vulnerabilities with risk level more than medium (PCI DSS compliance level) is more than 86% by any method. At the same time, detailed analysis shows that 99% of web applications are not compliant with PCI DSS standard.

SQL Injection, Insufficient Authentication, Insufficient Authorization vulnerabilities detected by automatic scanning.

The following conclusions can be drawn based on the analysis of the Report:

The most wide spread vulnerabilities are Cross-site Scripting, different types of Information Leakage, SQL Injection, HTTP Response Splitting;
The probability to detect a urgent or critical error in dynamic web application is about 49% by automatic scanning and 96% by comprehensive expert analysis (white box method);
Administration issues are 20% more frequent cause of a vulnerability than system development errors;
99% of web application are not compliant with PCI DSS standard requirements, and 48% of web applications are not compliant with criteria of ASV scanning by PCI DSS;
Detailed white box method analysis allows to detect up to 91 vulnerabilities per web application, while automatic scanning – only 3;
Compared to 2007, the number of sites with wide spread SQL Injection and Cross-site Scripting vulnerabilities fell by 13% and 20%, respectively, however, the number of sites with different types of Information Leakage rose by 24%. On the other hand, the probability to compromise a host automatically rose from 7 to 13 %.

The most widespread vulnerabilities in web applications.

Get the Full Report From WASC website

Guarding your DNS against cache poisoning attacks

Tuesday, October 13, 2009

All companies use DNS and it is a very critical part of the network, if DNS is down virtually everything is down. Cache poisoning is the most famous attack against a DNS server. There are many ways to save your DNS servers from Cache Poisoning. Below you will find a quick list to ensure you don't become a victim of DNS Cache Poisoning.

1) Restrict DNS recursion to only authorized queriers, or disable it entirely.
2) Restrict DNS zone transfers to authorized secondary name servers.
3) Use forwarders to limit exposure.
4) Run the latest name server software.
5) Secure the platform, OS, Apps, Daemons, etc. Latest version, Patching and Secure configuration is a must.
6) Check your work - Ensure there are no configuration errors in your DNS config file.
7) Limit administrative access.

You can read more of the article at net-security.org

Detect hosts with enabled NAT to use internet for free in your network

Friday, October 9, 2009

I came across this utility NATProbe, this tool will try to sends ICMP packets out to the LAN, and will detect all the hosts that allow NAT. Now with this tool you can find bugs in your corporate network or even find hosts that allow outgoing internet connections.

This reminds me of one of my Penetration Testing assignment where we found out there was a Squid based proxy server, it was fully patched and very well maintained but somehow I felt let me see if i can put it as a gateway to my host and access internet.As soon as the network card was up with new gateway settings. The internet worked without a problem and was much faster. We downloaded a OpenSuSE Live CD ISO file and the full 700MB was downloaded in under 13 minutes. So we surely had full access to internet without any bandwidth caps or logging. If we tried to use the proxy server in the browser we were asked to authenticate against Active Directory server but when we used it as a gateway, it worked perfectly fine. Later we came to know that it NAT was enabled during the installation! What a disaster that was by the admin.

If i had to scan for IP's all over the network for NAT enabled hosts, it would have taken sometime but this tool NATProbe. Just start this tool and wait for results. This tool has surely made life of penetration testers easy as well as for Admins who would like to know if employee has enabled NAT for quick p2p sharing for internet sharing.

This tool is hosted at Google Code

Best Practices Document for End to End Encryption by VISA

Wednesday, October 7, 2009

Visa has announced new global best practices for data field encryption, also known as end-to-end encryption - a much-discussed solution in the wake of the Heartland Payment Systems breach.
These best practices are designed to further the payment industry's efforts to develop a common, open standard while providing guidance to encryption vendors and early adopters. Data field encryption protects card information from the swipe to the acquirer processor with no need for the merchant to process or transmit card data in the "clear."

Visa's best practices are designed to help organizations:

Limit cleartext availability of cardholder data and sensitive authentication data to the point of encryption and the point of decryption;
Use robust key management solutions consistent with international and/or regional standards;
Use key-lengths and cryptographic algorithms consistent with international and/or regional standards;
Protect devices used to perform cryptographic operations against physical/logical compromises;
Use an alternate account or transaction identifier for business processes that requires the primary account number to be utilized after authorization, such as processing of recurring payments, customer loyalty programs or fraud management.

It's important to note, that sensitive authentication data such as full contents of the magnetic strip, CVV2, PIN/PIN block should not be used for any purpose other than payment authorization and may not be stored after authorization, even if encrypted.

While data field encryption applies after the card is swiped and throughout the merchant's environment, encryption solutions between acquirer processors and Visa would further reduce the value of card data to criminals. You can read this Best Practices document from VISA

Latest email phishing scam and the pattern of users passwords

A list of 10,000 users was posted online from a phishing scam to pastebin.com website. Initally it was thought that only microsoft's hotmail was compromised but later more details emerged and the results are more shocking there was a lot more than hotmail accounts, the compromised accounts in the second list were from various email providers including Yahoo, Gmail, Comcast and AOL.
One thing is sure, both the leaked lists were not just a small kiddie trick it looks like an organized phishing scam against the major eMail providers. Whatever it was the fault is of the users, they use easy to guess passwords and don't pay attention where they are entering their data and on what websites.

Some of the trends were drawn by accunetix from the leaked email lists is intresting.

The top 20 most common passwords from the list

1. 123456 - 64
2. 123456789 - 18
3. alejandra - 11
4. 111111 - 10
5. alberto - 9
6. tequiero - 9
7. alejandro - 9
8. 12345678 - 9
9. 1234567 - 8
10. estrella - 7
11. iloveyou - 7
12. daniel - 7
13. 000000 - 7
14. roberto - 7
15. 654321 - 6
16. bonita - 6
17. sebastian - 6
18. beatriz - 6
19. mariposa - 5
20. america - 5

Password length distribution
1 chars – 2 – 0%
2 chars – 4 – 0%
3 chars – 4 – 0%
4 chars – 31 – 0%
5 chars – 49 – 1%
6 chars – 1946 – 22%
7 chars – 1254 – 14%
8 chars – 1838 – 21%
9 chars – 1091 – 12%
10 chars – 772 – 9%
11 chars – 527 – 6%
12 chars – 431 – 5%
13 chars – 290 – 3%
14 chars – 219 – 2%
15 chars – 157 – 2%
16 chars – 190 – 2%
17 chars – 56 – 1%
18 chars – 17 – 0%
19 chars – 7 – 0%
20 chars – 14 – 0%

The pattern does tell us that Alexander is one of the most famous password in spanish language.

Top reasons why IT Projects Fail and how to save your project

Tuesday, October 6, 2009

There are many reasons why IT projects fail. Be it an IT consulting Project or IT implementation project. The most important reason why projects get screwed up is first due to People and then Technology.

You need right people, right skillset and people with good mindframe. Second factor is Technology you need to decide on a technology by looking at the requirements and how efficient the application will be, Using linux or windows should not be a problem. The end result should be getting the most out of the technology, reducing cost and making project extensible easily if client wants to make some changes or add features at a later date(This happens most of the time). All people should work in the same direction that is to use this agreed upon techology. For eq. For a web app project Perl guy says do it in perl, PHP guy says do it in PHP and manager says JAVA. Seriously I have seen people do all this bullshit. For a sucessfull project People and Technology should work in tandem with each other or else the project is screwed.

I came across a blog about project management and one post which i liked was about the project failures. I am posting the points below, there are Six of them, Top failures according to me out of the below six reasons are 3, 4 and 6: -

Intent Failure - Occurs when the project doesn’t bring enough added value or capability to beat down the obstacles inherent throughout the process. This suggests the original intent of the project was flawed from the beginning.
Sponsor Failure - Occurs when the person heading up the project is not actively engaged and/or does not have the authority to make decisions critical to project success.
Design and Definition/Scope Failure - Occurs when the scope is not clearly defined, so the project team is unclear on deliverables.
Communications Failure - Occurs when communications are infrequent or honest discussion of project problems and issues are avoided.
Project Discipline Failure - Occurs when process/project methodology is allowed to lapse so that the mitigation factors inherent in the process are never used.
Supplier/Vendor Failure - Occurs when the structure of supplier /vendor relationships doesn’t allow for communication and adjustments.

So friends lets keep these things in mind when starting a project and avoid the potential traps.

Speed up your Internet Explorer aka IE8 to load webpages faster

If you are using a fast internet connection and your internet explorer is loading pages slow so you are surely on this webpage to speed up your Internet explorer and make the most of your internet connection.

IE by default has connection limited to 2 per server which is quite slow as we know, since the release of IE8 microsoft has increased the limit of max connections to 6. But still if you want faster connections you can change Max Connection settings in your windows registry to make the most of your internet connection.

You can use the following steps to create more connections to the server which will inturn load your pages faster normally, but beware there are some hosts who still dont allow more than 2-3 connections per IP/session so in such cases the pages will load slow but you should see a difference on most of the websites.

The following steps are to be added to your windows registry.

Open Registry Editor by typing REGEDIT into the Run dialog in the start menu
Browse to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings.
Right click and create a new DWORD key and name it "MaxConnectionsPer1_0Server"
Double click the key to set a value. The number 12 should be good.
Right click and create a another new DWORD key and name it "MaxConnectionsPerServer"
Double click on the key and set the value. The number 12 should be good.
Close the Registry Editor
Restart your IE, infact restarting the computer is still a good idea.

FYI, I even tried to use 32 and 64 but it does not make things blazing super fast and I think max number of connections 12-16 should work just fine for you.

Another tip, You can use Adblock tool for Internet explorer to block all the unwanted gif's, flash and ads to speed up your browsing experience. Adblock addons are now availiable for Firefox, IE and Safari. The filthy javascript ads do really slow down your browser. so you might consider blocking those ads but by blocking your ads you are not contributing to the website your love by the way of clicking ads on their webpages. Think about it. ;)

Are IT Security Certifications a Hassel for IT Folks?

Thursday, October 1, 2009

With the rise in publicity of data breaches, companies are looking at security more seriously than ever, which means they're looking to hire qualified and, often, certified IT security pros. A recent report from Gartner Research Inc. entitled, "How to Choose the Right Professional Information Security Certification," examines which IT security certifications are most common and valuable in today's job market, as well as how much attention should be paid to security certifications by prospective employers. In this interview, Carsten Casper, research director at Gartner Research and holder of the CISSP and CISA certifications, explains what makes one security certification more valuable than another and how to know when it's worth the financial investment to get certified.

What are the key takeaways from the research?
Carsten Casper: The two major issues are that, on the one hand, we still need security as a profession, and all these certifications provide additional benefit, but [they don't necessarily contribute to] a security profession as such. Some of the [certification] schemes think they have reached market saturation in their target group, which I believe they haven't. That led them to conclude that they need to create, they need to diversify and they need to come up with variations of existing schemes. That's not necessary because the certifications we have out there are sufficient for the needs of today. There is enough variety and there are some that are widely accepted. And the tendency to create more schemes seems to address the money rather than the end value [to those being certified].

What are the most important certifications in information security today?
Casper: There's basically two groups of certifications. There are hundreds of certifications that few know about that are [aimed towards] very specific environments, countries, topics and target groups. And then there are a few major ones that are so widely known: CISSP, CISA as the certifications themselves and GIAC, as the group of more technological certifications. I think that's pretty clear. And I almost don't want to say that because it leaves so little room for all the other certification schemes that I believe also have a good reason for existence. They fill very specific market needs. The problem is, if you want to differentiate yourself and stand out from the masses, then these are probably not the right ones, even though they are the most widely known. But then what else do you choose? That depends on the specific needs that you have. It's hard to say.

If a security professional is looking to move into a new or different security role, would you suggest he or she pursue certifications in that niche first to have better chances of obtaining a job? Or has a certification become less significant in that regard?
Casper: If you come from a business background or from a very different technology background and you want to get into information security, getting one of these standard certifications doesn't really help you. You need the experience; you need the information security background. If you have worked in IT security and if you have been a penetration tester for a number of years and you want to [expand your knowledge base beyond your niche] then CISSP or CISA might be a good approach. It shows that you broadened your horizons; that you've stepped up a level and you can deal with other areas of information security as well. If you've worked in the information security field for a number of years, maybe even as a Chief Information Security Officer, and you're moving into a role of IT risk management, then this security connotation can actually be a hindrance. You may want to try to get an MBA. I think earning a certification is good to prove what you know already; it's not so good if you need to change your area; it's not so good if you want to get into that other area, because after all it's a stamp, it's a piece of paper that you put on the wall. There [are] courses attached to it, yes. You attend some classes online or on-site, but it's not a university degree; it's not an MBA; it's not deep and thorough training. It's just a stamp.

How much is the burden on employees to "sell" their certifications to potential employers, i.e. tell them what the certification means?
Casper: One hundred percent. If you don't have one of the major [certificates], you need to tell your employer or your future employer the significance of your niche certification, because it's just a big acronym soup. And even if you spell it out, nobody would know the breadth and depth of that certification. You really need to explain it from A to Z.

Is there any specific way infosec pros should explain it? Do you think attaching a written synopsis of the certification with the resume, or even explaining it in the interview would be a good idea?
Casper: Tell [your current or prospective employer] in which area this certification is used: in which industry, in which country, in which topic area. Explain who the issuing organization is (is it a non-profit or a government entity?) and how many certificates have been issued of this type. Is [the certification] ISO 17024 accredited? Then explain how you got that certification: Was it an exam? Was it a lab? Did you have to show some recommendation letters or some practical experience? You really have to have your facts right and do a little bit of marketing for that specific [certification] scheme if you want to convince your employer of its value.

What should a security employee take into account when trying to decide whether a certification is worth the financial investment?
Casper: I think it's always worth it. The question is: Which scheme do you choose? If you have nothing, I think it's worth it to get something. If you have a degree in computer science and you work in information security, at one point someone will ask: "So, you're a computer scientist, but what do you know about information security?" If you have many certifications then you wouldn't ask yourself that question of whether security certifications are financially worth it. But if you have nothing, I would say, across the board, it makes sense to get some certification.

How much emphasis should enterprises place on a candidate having a particular certificate when searching for a new security staff member?
Casper: It depends on the role. If you are looking for a technical person, such as a firewall administrator, IPS operator, or forensics investigator, then looking for a certificate is a good idea because it helps you to filter the applications. If someone stands out without a certification and otherwise looks interesting, I would still consider that person. If you're looking for a managerial role, such as an information security manager or a risk manager, then place less emphasis on the certification, simply because such a person typically doesn't have the time and the need to go through such an extensive evaluation. It's less common in that space even though there are some of these certificates that claim to be managerial, like CISM, but it's much less common. So [if you were judging based on security certification] you would probably filter out good candidates too early. So for technical roles, I would say give it, maybe, 20% of attention, for a managerial role give it maybe 5% of attention. Look at all the other things, look at the technical skills and look at the soft skills.

Link to the article