Raesene's Ramblings

Looks like the slides are up for most of the OWASP conference presentations over here
A couple that I thought were particularly interesting were
Alex Lucas on the Microsoft SDL which gave some good insight on all the work that Microsoft are putting into improving the security of Vista. I've never been a huge Microsoft fan but they're definately moving in the right direction on the security issue.
Also Brian Chess on static source code review. This one gives some good insight into what static source code analysis can and can't do for a security review. It looks to me like Fortify and Ounce will be moving into the same kind of space that SPI, Cenzic and Watchfire are in for web application testers. No-one thinks you can just run those tools and call it a day, but they're pretty valuable in improving the coverage of the test and catching certain classes of vulnerability, leaving the tester to focus on things like business logic flaws that automated tools can't find.

Windows Server 2008 Features Address Linux Rivalry
Interesting article which talks about the modular nature of Windows server 2008. From the content of this article I think it's fair to say that Microsoft will have addressed the last big architectural problems with their software security that I can think of, once server 2008 is available.
Previous versions of Windows server have had items like Internet Explorer and Windows Media player installed by default with no easy way to remove them, which led to additional patching and security requirements for the operating system and an increased attack surface, even with the lock down on some of the functionality they provided that happened in server 2003.
Now from this article it appears that Windows server 2008 will reduce the attack surface of the OS by allowing it to be much more modular. And for the first time you can have a windows server without a GUI!!
In the past I've always doubted that Microsoft would do this as from a marketing perspective bundling has always been a strong point for them.
When you combine this with the very strong story that Microsoft has on secure development techniques I'd say that the latest generation of their products are likely to be the best in their fields for security...

Top 15 free SQL Injection Scanners - Security-Hacks.com
Interesting looking list of SQL injection scanners although Justin notes here that at least one of them, sqlbrute, isn't really a scanner.
Anyway I'm planning to run some tests on them to see how they handle some basic SQL injection flaws, so it'll be interesting to see how they go.

Well the OWASP conference in Milan was really great. There was a large number of good presentations and lots of interesting chat. Also got to meet quite a few people I only know from their blogs.
First day was the SOA and Web services Security training from Gunnar Peterson. Whilst there was a lot of information to absorb in one day, it was very good and left me with some key things to take away like the importance of using XML Security gateways in enterprise web services, some risks which apply to webservices that are different to those faced by usual web apps. like XDOS and that MQ only provides authorization not authentication !
On the first evening we got free food and drink courtesy of the nice people at Breach Security and I had some interesting chats with Alex Lucas on cool home computing setups amongst others.
The second day was the first of the conference proper ( agenda) . Hopefully all the slide decks will be up and linked from that page fairly soon... There was lots of interesting stuff, probably the most interesting (or perhaps scary) of the day for me was PDP Architects presentation on advanced web hacking (slides from this one are here) . It was a really interesting look at what some of the new services that are available on the 'net like Yahoo Pipes and tinyURL can be used for by malicious parties. Unfortunately the dark angel of demos was around and Yahoo Pipes was down during the presentation but I imagine it'll be up again soon....
Dinner on the second day was the conference one at Ristorante Why Not and again loads of interesting chat was had. I was sat next to Simon Roses Femerling, lead on the Pantera Project and had some interesting chats about what's next for that project. It actually cleared up for me what the goals of the project are. Pantera (at the moment) seems primarily geared at gathering information on the site under analysis rather than automatically handling XSS testing or the like.
Unfortunately I was pretty tired by the end of the meal (they have quite leisurely dining in Italy) and missed the first appearance by the OWASP band! However there's pictures here
Day Three had some more great talks and more stuff that I really should look at when I get the task. There was information on the newly revamped OWASP testing guide which sounds like a really good basis for web testing methodologies now.
There was also a madcap spin through the expanded OWASP project list from Dinis Cruz where we got a flavour for the variety of projects now undertaken by OWASP. One thing that sprang to mind while I was listening to this was that perhaps OWASP need to enforce some kind of naming convention on their projects as at the moment some of the names aren't really very descriptive of what the project does which can lead to some confusion
Day Three ended up with the panel discussing "What is needed to fix web app sec vulnerabilities once and for all?" . The main suggestions surrounded re-vamping the underlying protocols and technologies (eg, HTTP 2.0) to embed security and also encouraging development framework usage so that individual developers find it easier to write secure applications. Ultimately though it seems that the conclusion was that the current crop of web application vulnerabilities will be with us for some time and there are no easy fixes...
All in all a great conference, I'll definitely hope to get back next year. The talks were all pretty good and also there were loads of interesting people to meet and put faces to blogs...

Well that's the blog back online after more than a week, just before I was off to the OWASP Conference (Of which more later), the power supply in my server blew! after some frustration with moving disks and volume groups in Linux I decided to wait until I got back and re-build on a Virtual machine...

I've been having some fun sorting out some cool new tech. for my house. I've been looking for something to replace the large tower box I've got running my file/print & website for a while. Mainly so I can separate them and not be hosting any extneral services on the same machine as I'm hosting internal services.
So I've been looking for small, quiet, cheap Linux boxes to use for a webserver and I came across the Buffalo Linkstation Pro. It only costs 99 pounds in the UK and is designed as a NAS device, however in common with most of these kinds of devices, it's really a small ARM-based computer running Linux. So following a quick trip to the excellent Linkstation wiki some downloading and following of instructions to re-flash the device, I've now got a debian Linux server with 128MB RAM and a 250GB hard drive all for under a hundred quid!!
The other thing I set-up for the first time the other night was tor, mainly to see how easy or difficult it would be. the answer is (on Fedora Core 6 at least) pretty easy, two package installs and a couple of edits to config files and I'm surfing anonymously. It's a bit slow but apart from that seems to do what it says on the tin. Very handy to test source IP address restrictions if you're using them.

TJX finds self at bottom of 300-bank pig pile | The Register
I'm not usually a great fan of the sue someone every time something goes wrong mentality that some people and companies seem to have but this one could actually be good for security...
300 Banks suing TJX for the breach... If they win then I'd expect retailers to start taking security a fair bit more seriously as then there'll be some really serious consequences to losing control of your customers data...

I've always found that there's a fair amount of confusion on what the difference between Information Security and IT Security is.
Whilst I don't know THE difference here's a difference.
IT Security is hard to comprehend but easy to implement, Information Security is easy to comprehend but hard to implement.
If you think about an IT task, say advising on the protection of a new web services link that your company will be sending information over from an IT Security and Information Security perspective the difference in comprehension may become clear.
From an IT Security perspective effectively advising on this requires that you understand how web services function, are aware of the standards in the area (which is complex in itself) understand how XML can be encrypted, what options there are for authentication the transfer and so on. Now once you've comprehended that fully, actually implementing the appropriate protection should be relatively straightforward.
From an Information Security perspective all you really need to know is that web services are a means of transferring data from one party to another, and at that point all you may really care about is "is the information over the link appropriately protected and are participants in the link authenticated and authorised"
So where does the hard to implement bit come in?
Consider a typical Information Security task. Many security standards have a concept that Information in a company should be classified at different levels and then handled differently based on those levels. A typical classification scheme might have 3 or 4 different levels of marking and protection.
In terms of comprehending why you need to do it and even what needs to be done (marking requirements etc.) reasonably straightforward. However implementing this kind of scheme is something that very few corporations have done effectively. The difficulties in training staff, and getting buy-in to what is additional work, from senior management are very tricky to do effectively...

Information Security Sell Out: White Hats & Application Security
Interesting post on the Information Security Sell out blog which comments on story from CNet here and a post over a StillSecure here
I'm mainly with the sellout guy. Whilst it's a shame that we lose an aspect of bug finding, there's no way for a company who see malicious traffic to tell what the intent of the person generating it is and the defence of "I was researching their web site security your honour" doesn't and shouldn't work.
All that said there is a problem and here it is. with the current climate if I find a security vulnerability in a site through legitimate traffic I probably won't report it because I don't want to deal with the possibility that the site owner will take it the wrong way and accuse me of hacking.
Here's an example. I clicked on a link to a site from a forum I hang out on, took me to the site.... LOGGED-IN as the user who'd posted the link, with the ability to view and update his profile on the site!
The site had made the very stupid mistake of putting the session identifier in the URL (D'oh). So completely legitimate traffic, security problem identified. But if I report it, they could easily scream "hacker" and I'd have a world of hassle to deal with which I don't need. so I quietly told the forum poster, he removed the link and I went on my way..
So there is a fine line here. Find a problem through legitimate traffic fine... Think "ooh a problem, what happens if I try ' OR 1=1;-- " not so fine.
What might be good would be a mechanism for people to report suspected problems to a central point anonymously that could then notify site owners...

<a title="Oracle Database Listener Security Guide Oracle Database Listener Security Guide < Eddie Awad’s Blog
There's a link to a good solid Oracle Listener security guide over at Eddie Awad's blog.
The link to the doc. itself is here .
The doc. does a good job of covering off what is a reasonably poorly understood area of Oracle security, well worth a read if it's an area you're involved in, or at least worth forwarding to your DBA's as I'd be willing to bet that many of them aren't aware of how insecure the listener is by default...