Top 15 free SQL Injection Scanners - Security-Hacks.com
Interesting looking list of SQL injection scanners although Justin notes here that at least one of them, sqlbrute, isn't really a scanner.
Anyway I'm planning to run some tests on them to see how they handle some basic SQL injection flaws, so it'll be interesting to see how they go.
Well the OWASP conference in Milan was really great. There was a large number of good presentations and lots of interesting chat. Also got to meet quite a few people I only know from their blogs.
First day was the SOA and Web services Security training from Gunnar Peterson. Whilst there was a lot of information to absorb in one day, it was very good and left me with some key things to take away like the importance of using XML Security gateways in enterprise web services, some risks which apply to webservices that are different to those faced by usual web apps. like XDOS and that MQ only provides authorization not authentication !
On the first evening we got free food and drink courtesy of the nice people at Breach Security and I had some interesting chats with Alex Lucas on cool home computing setups amongst others.
The second day was the first of the conference proper ( agenda) . Hopefully all the slide decks will be up and linked from that page fairly soon... There was lots of interesting stuff, probably the most interesting (or perhaps scary) of the day for me was PDP Architects presentation on advanced web hacking (slides from this one are here) . It was a really interesting look at what some of the new services that are available on the 'net like Yahoo Pipes and tinyURL can be used for by malicious parties. Unfortunately the dark angel of demos was around and Yahoo Pipes was down during the presentation but I imagine it'll be up again soon....
Dinner on the second day was the conference one at Ristorante Why Not and again loads of interesting chat was had. I was sat next to Simon Roses Femerling, lead on the Pantera Project and had some interesting chats about what's next for that project. It actually cleared up for me what the goals of the project are. Pantera (at the moment) seems primarily geared at gathering information on the site under analysis rather than automatically handling XSS testing or the like.
Unfortunately I was pretty tired by the end of the meal (they have quite leisurely dining in Italy) and missed the first appearance by the OWASP band! However there's pictures here
Day Three had some more great talks and more stuff that I really should look at when I get the task. There was information on the newly revamped OWASP testing guide which sounds like a really good basis for web testing methodologies now.
There was also a madcap spin through the expanded OWASP project list from Dinis Cruz where we got a flavour for the variety of projects now undertaken by OWASP. One thing that sprang to mind while I was listening to this was that perhaps OWASP need to enforce some kind of naming convention on their projects as at the moment some of the names aren't really very descriptive of what the project does which can lead to some confusion
Day Three ended up with the panel discussing "What is needed to fix web app sec vulnerabilities once and for all?" . The main suggestions surrounded re-vamping the underlying protocols and technologies (eg, HTTP 2.0) to embed security and also encouraging development framework usage so that individual developers find it easier to write secure applications. Ultimately though it seems that the conclusion was that the current crop of web application vulnerabilities will be with us for some time and there are no easy fixes...
All in all a great conference, I'll definitely hope to get back next year. The talks were all pretty good and also there were loads of interesting people to meet and put faces to blogs...
Well that's the blog back online after more than a week, just before I was off to the OWASP Conference (Of which more later), the power supply in my server blew! after some frustration with moving disks and volume groups in Linux I decided to wait until I got back and re-build on a Virtual machine...
I've been having some fun sorting out some cool new tech. for my house. I've been looking for something to replace the large tower box I've got running my file/print & website for a while. Mainly so I can separate them and not be hosting any extneral services on the same machine as I'm hosting internal services.
So I've been looking for small, quiet, cheap Linux boxes to use for a webserver and I came across the Buffalo Linkstation Pro. It only costs 99 pounds in the UK and is designed as a NAS device, however in common with most of these kinds of devices, it's really a small ARM-based computer running Linux. So following a quick trip to the excellent Linkstation wiki some downloading and following of instructions to re-flash the device, I've now got a debian Linux server with 128MB RAM and a 250GB hard drive all for under a hundred quid!!
The other thing I set-up for the first time the other night was tor, mainly to see how easy or difficult it would be. the answer is (on Fedora Core 6 at least) pretty easy, two package installs and a couple of edits to config files and I'm surfing anonymously. It's a bit slow but apart from that seems to do what it says on the tin. Very handy to test source IP address restrictions if you're using them.
TJX finds self at bottom of 300-bank pig pile | The Register
I'm not usually a great fan of the sue someone every time something goes wrong mentality that some people and companies seem to have but this one could actually be good for security...
300 Banks suing TJX for the breach... If they win then I'd expect retailers to start taking security a fair bit more seriously as then there'll be some really serious consequences to losing control of your customers data...
I've always found that there's a fair amount of confusion on what the difference between Information Security and IT Security is.
Whilst I don't know THE difference here's a difference.
IT Security is hard to comprehend but easy to implement, Information Security is easy to comprehend but hard to implement.
If you think about an IT task, say advising on the protection of a new web services link that your company will be sending information over from an IT Security and Information Security perspective the difference in comprehension may become clear.
From an IT Security perspective effectively advising on this requires that you understand how web services function, are aware of the standards in the area (which is complex in itself) understand how XML can be encrypted, what options there are for authentication the transfer and so on. Now once you've comprehended that fully, actually implementing the appropriate protection should be relatively straightforward.
From an Information Security perspective all you really need to know is that web services are a means of transferring data from one party to another, and at that point all you may really care about is "is the information over the link appropriately protected and are participants in the link authenticated and authorised"
So where does the hard to implement bit come in?
Consider a typical Information Security task. Many security standards have a concept that Information in a company should be classified at different levels and then handled differently based on those levels. A typical classification scheme might have 3 or 4 different levels of marking and protection.
In terms of comprehending why you need to do it and even what needs to be done (marking requirements etc.) reasonably straightforward. However implementing this kind of scheme is something that very few corporations have done effectively. The difficulties in training staff, and getting buy-in to what is additional work, from senior management are very tricky to do effectively...
Information Security Sell Out: White Hats & Application Security
Interesting post on the Information Security Sell out blog which comments on story from CNet here and a post over a StillSecure here
I'm mainly with the sellout guy. Whilst it's a shame that we lose an aspect of bug finding, there's no way for a company who see malicious traffic to tell what the intent of the person generating it is and the defence of "I was researching their web site security your honour" doesn't and shouldn't work.
All that said there is a problem and here it is. with the current climate if I find a security vulnerability in a site through legitimate traffic I probably won't report it because I don't want to deal with the possibility that the site owner will take it the wrong way and accuse me of hacking.
Here's an example. I clicked on a link to a site from a forum I hang out on, took me to the site.... LOGGED-IN as the user who'd posted the link, with the ability to view and update his profile on the site!
The site had made the very stupid mistake of putting the session identifier in the URL (D'oh). So completely legitimate traffic, security problem identified. But if I report it, they could easily scream "hacker" and I'd have a world of hassle to deal with which I don't need. so I quietly told the forum poster, he removed the link and I went on my way..
So there is a fine line here. Find a problem through legitimate traffic fine... Think "ooh a problem, what happens if I try ' OR 1=1;-- " not so fine.
What might be good would be a mechanism for people to report suspected problems to a central point anonymously that could then notify site owners...
<a title="Oracle Database Listener Security Guide Oracle Database Listener Security Guide < Eddie Awad’s Blog
There's a link to a good solid Oracle Listener security guide over at Eddie Awad's blog.
The link to the doc. itself is here .
The doc. does a good job of covering off what is a reasonably poorly understood area of Oracle security, well worth a read if it's an area you're involved in, or at least worth forwarding to your DBA's as I'd be willing to bet that many of them aren't aware of how insecure the listener is by default...
I've been looking at Oracle database security recently and one of the things I've come across has really surprised me.
Oracle release a free (as in beer) version of their database product Oracle 10g XE
To quote their product page
...Oracle Database XE is a great starter database for:
* Developers working on PHP, Java, .NET, XML, and Open Source applications
* DBAs who need a free, starter database for training and deployment
* Independent Software Vendors (ISVs) and hardware vendors who want a starter database to distribute free of charge
* Educational institutions and students who need a free database for their curriculum
Yeah apart from one small problem. There are No security patches available for this product !
So if you download and use this product in your open source application as described you're going to be left with a seriously insecure database given the number of vulnerabilities in Oracle 10GR2 which have been patched in the main product and not in this one.
Now according to Pete Finnigan Oracle are meant to be releasing updated versions of the database with security patches applied, but that doesn't seem to be happening on a regular basis (really it should be quarterly to keep up to date with the main product)
So if you're looking for a database for your new open source app. I'd think very carefully before using this one free or not!
Ethical hackers face new test - 22 Mar 2007 - Computing.co.uk
Article covering the launch of CREST, a uk based scheme to certify ethical hackers, and comparing it to the current CHECK scheme run by the UK government.
I think that a system like this is definitely a good idea, although it needs to go further than the CHECK scheme did in certain areas.
Personally I don't think that the CHECK system was especially relevant to non-government organisations apart from to give that comfort factor around trustworthiness (although even that had little practical effect as most clients would want contracts/NDAs signed regardless)
Where I'd hope CREST will develop is to provide more specialism in where the individual will be certified. For example someone who's a great web application tester would be certified specifically for web application testing and wouldn't necessarily be certified for database security testing or Firewall security testing. this would give clients a much better level of assurance that the people doing the work have a good level of knowledge in that specific area.
